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768GB 


of RAM in 1U 


KEY FEATURES 
IXR-22X4IB iIXR-1204+10G 
- Dual Intel® Xeon® Processors E5-2600 Family per node - Dual Intel® Xeon® Processors E5-2600 Family 
- Intel® C600 series chipset « Intel® C600 series chipset 
- Four server nodes in 2U of rack space « Intel® X540 Dual-Port 10 Gigabit Ethernet Controllers 
« Up to 256GB main memory per server node - Up to 16 Cores and 32 process threads 
« One Mellanox® ConnectX QDR 40Gbp/s Infiniband w/QSFP « Up to 768GB main memory 
Connector per node « Four SAS/SATA drive bays 
- 12 SAS/SATA drive bays, 3 per node ¢ Onboard SATA RAID 0, 1, 5, and 10 
« Hardware RAID via LSI2108 controller - 700W high-efficiency redundant power supply with 
« Shared 1620W redundant high-efficiency Platinum FC and PMBus (80%+ Gold Certified) 


level (91%+) power supplies 
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High-Density iXsystems Servers powered by the 
Intel® Xeon® Processor E5-2600 Family and Intel® 
C600 series chipset can pack up to 768GB of RAM 
into 1U of rack space or up to 8 processors - with 
up to 128 threads - in 2U. 


On-board 10 Gigabit Ethernet and Infiniband for Greater 
Throughput in less Rack Space. 


Servers from iXsystems based on the Intel® Xeon® Processor E5-2600 
Family feature high-throughput connections on the motherboard, saving 
critical expansion space. The Intel® C600 Series chipset supports up to 
384GB of RAM per processor, allowing performance in a single server to 
reach new heights. This ensures that you're not paying for more than you 
need to achieve the performance you want. 


The iXR-1204 +10G features dual onboard 10GigE + dual onboard 
1GigE network controllers, up to 768GB of RAM and dual Intel® Xeon® 
Processors E5-2600 Family, freeing up critical expansion card space for 
application-specific hardware. The uncompromised performance and 
flexibility of the iXR-1204 +10G makes it suitable for clustering, high-traffic 
webservers, virtualization, and cloud computing applications - anywhere 
you need the most resources available. 


For even greater performance density, the iXR-22X4IB squeezes four 
server nodes into two units of rack space, each with dual Intel® Xeon® 
Processors E5-2600 Family, up to 256GB of RAM, and an on-board Mellanox® 
ConnectX QDR 40Gbp/s Infiniband w/QSFP Connector. The iXR-22X4 IB is 
perfect for high-powered computing, virtualization, or business intelligence 
applications that require the computing power of the Intel® Xeon® Processor 
E5-2600 Family and the high throughput of Infiniband. 





Intel, the Intel logo, and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the U.S. and other countries. 


HIGH 


Throughput 


INCREDIBLE 


ia celdaur eee marina 
















a : | 

fee eer in Press A a .. wl 
id Jd bh a rriwer = 

det pela | RRS alba I 


Fee 
ee 
ne 

aml |= 


eS tt tol 
e 1 


= 







10 OG: 10GbE On-Board 


aati 
Nodes 
Tawa 





Dera Cail: 


Call iXsystems toll free or visit our website today! 1-855-GREP-4-IX | www.iXsystems.com 





Dear Readers, 

013 is nearly over. Some of you are new to our magazine 

and some are with us for months, even years. The end of the 
year approaches rapidly and we decided that in exchange for 
your unmeasurable support, we will tell you our story that should 
give you an insight into what we have been through this year. 

Let’s discuss the statistics. This should help you visualize our 
work with the magazine and understand the process we have 
to undergo in order to meet your expectations. 

This year, we have published 12 BSD issues — around 600 
pages. 600 pages equals 35,68 m2 that our articles could cover. 
All the issues published in 2013, when put on the scale, would 
weight 34,28 pounds (12,79 kilos). Throughout the year, our 
readership base escalated 2 times — from slightly over 21459 
to 49890 readers. 

As you know, we are the number 71 BSD publication in the 
world. We would like to thank iXsystems company and all the 
team who has supported us from the very beginning. | would like 
to thank Denise Ebery and Annie A. Zhang _ for their patience, 
professionalism and a great work on all issues of BSD magazine. 

In order to give you the materials you had a chance to read 
this year, we were working over 250 days, which equals more 
than 2000 hours for each employee. These few pages you 
go through in a couple of hours on a monthly basis, cost our 
experts almost 1000 weeks to prepare. Our beta testers and 
proofreaders have spent a similar amount of time making sure 
that you will enjoy your reading. Finally, our graphic devoted 
3000 hours designing the layout to appeal to your eyes. 

During our fight for your right to admin better, we have also 
suffered losses. AS you May guess, our main weapon Is the 
computer. Just like in every war, the equipment is exploited heavily 
and put through extreme situations. You may be sure that we have 
pushed our PCs to their absolute limits. We have overheated our 
processors, filled the hard drives, overused internet connection 
transfers, etc. Most of our inventory have survived, although we 
cannot deny there were casualties — 10 computer mice have 
passed away during the harsh battles for knowledge. 

However, As long as we have our precious readers, we have 
a purpose. We owe you a huge THANK YOU. Everything we do, 
we do with you on our minds. We are grateful for every comment 
and opinion, either positive or negative. Every word from you 
lets us improve BSD magazine and brings us closer to the ideal 
Shape of our publication, or, we should say — your publication. 


Thank you BSD fans for your invaluable support and contribution. 
Ewa & BSD team 
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storage 


OG Configuring a Highly Available Service 
on FreeBSD — Part 1: HAST 

Jeroen van Nieuwenhuizen 
In this first part of the series. Jeroen introduces HAST, 
a relatively easy way to make storage highly available 
on FreeBSD and introduces the hastd daemon and its 
configuration file /etc/hast.conf. Furthermore you learn 
how to control HAST with the hastctl command and how 
to recover from a splitbrain situation. 


NetBSD 6.0 


1 OlT Inventory & Asset Management 
Automation 
José B. Alos 
Jose will provide the details of implementation of an 
Asset Management system based on a computer running 
NetBSD 6.0 to handle large IT platform sites, capable 
to act as a gateway to collect all information from IT 
programmable devices with minimal effort on behalf of 
the administrator and using the benefits of Open Source 
solutions provided by OCS Inventory and GLPI Asset 
management projects. 


security 
= =—FreeBSD Programming Primer — Part 10 


Rob Somerville 
In the previous article we put in place a very crude 
login system that allowed anyone to login to our CMS 
and add content. Rob, in the tenth part of our series on 
programming, show you how to improve the login process, 
add more security, and keep spam robots under control. 


<> —PfSense + Snort: Fast approach 
Salih Khan 

Pfsense is a FreeBSD-based distro specially oriented as 
a security appliance for firewall UTM with many modules 
ready for more functions. You can integrate things like squid, 
dansdnsguardian, varnish, mod_security, and... snort! This 
article is to encourage all of you to test this marvelous 
software and experiment with packets and plugins. 


<3 SHow Secure Can Secure Shell (SSH) Be? 
Arkadiusz Majewski, BEng 

SSH is a great and a rich protocol and can be used not only 

for SSH connections (terminal connections), but also for 

files transfer, Known as SFTP, or for VPNs tunneling. The 

OpenSSH configuration works great for SFTP connections 
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using mentioned WinSCP application. WinSCP is easy 
and similar to Putty configuration. Arkadiusz will teach you 
how to configure OpenSSH and how a few configuration 
options may make your remote connections more secure, 
based on OpenSSH. 


Column 


<1 GWith the Recent Revelation That the 
United States Spied on Angela Merkel 
and the Subsequent Outrage From 
Politicians — is this a Case of the “Lady 
Doth Protest Too Much”? 


Rob Somerville 


Reports 


<4S Maximising Website Runtime on Host 
Servers Running FreeBSD 
Luke Marsden 
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Luca Ferrari 
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FreeBSD - Part 1: HAST 


One of the problems a system administrator has when 

providing services like NFS on a network is that sometimes 
they are critical to the business and downtime needs to be 
kept to an absolute minimum. This problem can be solved 


with tools native to FreeBSD. 


What you will learn... 

¢ How to configure HAST 

¢« Howto control HAST 

¢« Howto recover from HAST failures 


to use these building blocks to make a service and the 
underlying storage highly available. As an example 
we will build a highly available NFS server running on two 
FreeBSD 9.2 machines called nfs-01 and nfs-02. The un- 
derlying principles can be applied to other services as well. 
In this first part of the series we will learn how to make 
storage highly available by using HAST. We will take a 
look at what HAST is, how to configure it, how to control it 
and how to recover from failures like a splitbrain situation. 


n this series of articles, we will introduce and learn how 


What is HAST? 

HAST stands for Highly Available Storage. The main com- 
ponent of HAST is the hastd daemon, which allows the us- 
er to transparently store data on two physically separated 
machines which are connected over TCP/IP. HAST sup- 
ports both the IPv4 and IPv6 connections. The creation of 
these connections is always initiated by the primary node. 
In this active/passive setup, the redundant storage can be 
accessed only on the active node where a disk-like de- 
vice is presented under /dev/hast/<resourcename>. This 
<resourcename> IS a GEOM provider. An important thing to 
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What you should know... 
¢ How to install FreeBSD 

« How to login to FreeBSD 

- How to edit files on FreeBSD 


know is that HAST does not configure or change the ac- 
tive (primary) or passive (Secondary) role by itself. To au- 
tomate role switching other tools, like for example CARP, 
have to be configured to handle the failover. 


How to configure HAST 

The main configuration of the hastd daemon is done in the 
/etc/hast.conf file. This file can consist of a global sec- 
tion, a node specific section and a resource specific sec- 
tion. Let’s explore the basic configuration for our setup as 
described in Listing 1. 

In the global section we see the timeout 20 line, which 
sets the default timeout for the connection between the 
hastd daemon on the nodes. This global timeout could be 
overridden in the node specific and resource specific sec- 
tions if we wanted to. 

lf we look at the node specific section for nfs-01 (see 
Listing 2), we first note the on nfs-07 { line. Which speci- 
fies that this part is valid for the machine called nfs-01. 
One advantage of using this construction is that it is pos- 
sible to use the same configuration file on all nodes, be- 
cause a node will only pick up the global parts and the 
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Configuring a Highly Available Service on FreeBSD - Part 1: HAST 


parts for itself. It will thus ignore the on <othernodename> 
parts of the configuration file. 

The second line of the node specific section for 
nfs-01 says: 


pidfile /var/run/hastd.pid 


Which indicates that the pidfile used by hastd on nfs-01 
should be placed in /var/run/hastd.pid (which is the de- 
fault). The last line closes the node specific section. 

Let us now continue by looking at the resource specif- 
ic section (Listing 3). We first see the resource keyword 
followed by the name of the resource sharedbynfs. This 
means that the resource is called sharedbynfs and will 
become available under /dev/hast/sharedbynfs on the 
primary node when hastd has been started and initiated. 

If we look at the node specific part of the resource sec- 
tion, we see two configuration options for every node. 





First the /Jocal directive which specifies the local device 
used on this node to use as a backing device for hast. In 
this example we will use the /dev/dai disk. The second 
line (remote) specifies the name of the other node. So for 
nfs-01 it is nfs-02 and for nfs-02 it is nfs-01. 

Of course there are more options than specified in the 
configuration above. You can find the description of them 
in the hast.conf manual page (man hast.conf). 


Starting hastd and controlling HAST 

Now that the configuration is in place, we have to initialise 
our resource on both nodes with the nastct1 command 
(Listing 4). 

This initialisation creates the metadata that hast needs 
to be able to determine which data still needs to be syn- 
chronised between the nodes. 

Now that we have our metadata initialised we can 
start using hast. To start hast, we have to add the line 





Listing 1. Our hast.conf 


timeout 20 


On nis- 0 1 

pidfile /var/run/hastd.pid 
} 
Oneamnea Uy e1 

pidfile /var/run/hastd.pid 


resource sharedbynfs { 
Onpue scam 
local /dev/dal 
remote nfs-02 
} 
jay MES 0 | 
local /dev/dal 


remote nfs-Ol 


Listing 2. Node nfs-01 specific section from hast.conf 


On ness Ul a 
pidfile /var/run/hastd.pid 


Listing 3. Resource specific section from hast.conf 
resource sharedbynfs { 
On hes-U le 
local /dev/dal 





remote nfs-02 


} 
On tis-U2 + 
local /dev/dal 


remote nfs-0Ol 


Listing 4. /nitializing our resource 


hastctl create sharedbynfs 


Listing 5. Starting hastd 

nfs-01# echo 'hastd enable="YES"' >> /etc/rc.conf 
nfs-Ol# service hastd start 

nfs-Ol# hastctl role primary sharedbynfs 

Ges Ul hasueriectaru. 


nfs-02# echo 'hastd enable="YES"' >> /etc/rc.conf 
nfs-O02# service hastd start 

nfs-O02# hastctl role secondary sharedbynfs 

MES U27 nase mils ealcue 


Listing 6. Putting a filesystem on the sharedbynfs hast resource 
nfs-Ol# newfs -U /dev/hast/sharedbynfs 

nfs-01# mkdir /export 

nfs-Ol# mount -o noatime /dev/hast/sharedbynfs /export 
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hastd_enable="YES” to /etc/rc.conf. Then we have to start 
hastd and set a role on each node (see listing 5 for the com- 
mands). In this example we make nfs-01 the primary node 
and nfs-02 the secondary node. Also note the use of the 
hastctl status command to check the current status of our 
hast configuration. 


Creating a filesystem 

Now that we have a working hast setup, it is time to put a 
filesystem (newfs) on it and make that filesystem available 
under /export on the primary node (nfs-01) with the mount 
command. The exact commands to do this are described 
in Listing 6. Please note that we are using the noatime 
mount option to reduce the number of I/O requests, which 
in turn reduces the number of synchronisation actions that 
hastd has to execute. 


nfs-01# newfs -U /dev/hast/sharedbynfs 
nfs-O1# mkdir /export 
nfs-O1# mount -o noatime /dev/hast/sharedbynfs /export 


Failover 

Of course it is nice to have a setup like this, but to be able 
to put it to good use we must know how to do a manual 
failover. Assuming both nodes are still up and running this 
is relatively straight forward. We use our example setup 
with nfs-01 and nfs-02 to move the primary node from nfs- 
01 to nfs-02. First we umount the filesystem on nfs-01 and 
mark nfs-01 as secondary. When nfs-01 has become a 
secondary node, we can make nfs-02 the primary node, 
check the filesystem and mount the filesystem on nfs-02 
(See listing 7 for the exact commands). It is a good prac- 
tice to always check the filesystem after a failover, but 
before mounting. The reason for this is that in case of a 
failover due to a failing node, we can not be sure that ev- 





Listing 7. Failover from nfs-01 to nfs-02 


nfs-O01# umount /export 


nis-Ulp Naseer role secondany sharecdbynns 


nfs-O02# hastctl role primary sharedbynfs 
nfs-02# fsck -t ufs /dev/hast/sharedbynfs 
nfs-O02# mount -o noatime /dev/hast/sharedbynfs /export 


Listing 8. Recovering from a splitbrain situation 


Hirs-U2F Masecrl TOle nie shared yinins 
nfs-02# hastctl create sharedbynfs 
nfs-02# hastctl role secondary sharedbynfs 
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ery bit of data has been synchronised to the 
other side. This means that we can not be 

sure that the filesystem is in a clean and con- 

sistent state. 


Recovering from a split brain 
situation 

Now that we know how to handle a 
failover situation, it is also a good 
idea to take a look at what to do 
when both nodes thought they 
were the primary and have 
written to the underlying 
storage. In this case we 
can not avoid data loss, 
so a decision has to be 
made which node will 
resynchronise its data 
from the other node. 
That node will have to 
be disconnected, reini- 
tialised and put in the 
secondary role after 
which full data synchro- 
nisation will take place. 
See Listing 8 for the ex- 
act commands to do this, 
where we assume that nfs- 
O02 has to be reinitialised. 


Conclusion 
In this first part of the series we in- 
troduced HAST, a relatively easy way 

to make storage highly available on Free- 
BSD. We introduced the hastd daemon and 
its configuration file /etc/hast.conf. Furthermore we 
learned how to control HAST with the hastctl command 
and how to recover from a splitbrain situation. Now that 
we have configured HAST and therefore have created a 
highly available storage pool for our service, we will learn 
how to automate failover with CARP and devd in the next 
part of this series. 


JEROEN VAN NIEUWENHUIZEN 

Jeroen van Nieuwenhuizen works as a unix consultant for Snow. His 
free time activities beside playing with FreeBSD include cycling, chess 
and ice skating. 


11/2013 








CRC: 


eet IBLISS and 
em LOT 











MNES a THO Ce a a Ce 
Penetration tests, Application Security, Managed Security Services (MSS). 


Do as largest companies in Brazil, contact us! 





v.ibliss.com.br info@ibliss.com.br +55 11 3255-3926 





SEGURANCA & INTELIGENCIA 


NETBSD 6.0 





IT Inventory & Asset 


Management Automation 


The main aim of this article is to provide details of implementation of an 
Assets Management system based on a NetBSD 6.0 running computer to 
handle large IT platform sites, capable of acting as a gateway to collect 
all information from IT programmable devices with a minimal effort to 
administrator and using the benefits of Open Source solutions provided 
by OCS Inventory and GLPI Assets management projects. Moreover, the 
reader can extrapolate the procedures explained hereinafter to other 
Unix OS flavors with no major changes to achieve his own purposes. 


What you will learn... 

- Deployment of a combined inventory/asset management 
solution 

« Inventory agents configuration for Unix/MS Windows platforms 

- Basic operations on IT inventory and common features 

« MySQL database installation, configuration and population 


he class of supported hardware and software devices 
are: 


¢ Computers 
Network adapters 
BIOS/OBP PROM 
¢ Storage/Removable Media 
« Video 
Printers 
¢ Virtual machines, including Solaris zones 
Miscellaneous Hardware 


The mechanisms for monitoring supported uses cover 
the following operating systems: 


MS Windows 
MacOS X 
Un*x (BSD-based OS, GNU/Linux, ...) 
¢ OpenVMS by means of SNMP agent/trap daemon 
collector. 


a BSD 


What you should know... 

- Basic knowledge of Apache Web Server configuration and 
management. 

« Perl modules installation procedures 

« MySQL database installation, configuration and population 

« User-level background on NetBSD OS (also Unix-like OS) 


In reference to software inventory, the items collected are: 


¢ Operating System 
Installed Software 

¢ Custom-specified registry queries for MS Windows 
equipment 








Assets Management 
Administrator 
IT Corporate 
Platform 


Figure 1. Overview of IT Inventory/Asset management platform 
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The Asset Management System itself, described in Figure 
1, allows building up a database with an inventory for large 
companies to perform an accurate contract and licensing 
management maintenance and support, including a job- 
tracking system with mail-enabled alerts to provide online 
information. The most relevant feature of this platform is 
the fact that it has been developed entirely by using FOSS 
in order to avoid recurrent costs and to achieve long-term 
support, thus, the required investment is just for specialized 
personnel to deploy the low-level infrastructure. 


IT Inventory and Asset Management 

The main purpose of this document is to introduce a de- 
tailed view of a complete integrated platform to control all 
inventory and assets for complex organisations according 
with the architecture depicted in Figure 2. 


¢ OCS is used to make the automated inventory gen- 
eration for all IT hardware present in large organisa- 
tions or companies as efficient as possible. 

¢ GLPI is used for asset management and ticket- 
ing system for all IT-related items provided by OCS. 
In this way, there exists an interface between GLPI 
and OCS which allows automatic capture of data by 
means of an OCS Agent, available for MS Windows, 
Unix and MacOS platforms. 

¢ OTRS is used as an ITlL-compliant ticketing system 
for all custom processes defined for large organisa- 
tions or companies. 


However, all OTRS functions distinct from processes 
definition and management can be carried out by the 
tandem OCS/GLPI, as happens with Help Desk services 
widely used in large companies to handle an automat- 
ed management of hardware/software items as well as 
some assets associated to them. 

For large IT platforms, it doesn’t make sense and, be- 
sides, it has a propensity for mistakes when filling out all 
available data by hand. Hence, the most logical approach 
is to gather all available data concerning hardware and 
software in an automatic way. Furthermore, if we are able 
to develop a no-cost Open Source platform to manage 
inventory and related assets for IT equipment included in 
heterogeneous environments like Un*x, MS Windows and 
OpenVMS, it should be a suitable solution for future com- 
pany asset management. 


Inventory Management Platform 

Once the architecture of our proposed inventory platform 
has been introduced, it is possible to distinguish three dif- 
ferent categories of entities which are shown by Figure 3. 
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¢ Inventory Server, in charge of gathering all information 
provided by IT equipment to be included in inventory. 

¢ Inventory Agents, which are each of the IT equipment 
to be included in inventory. 

¢ Inventory Console, used for inventory/assets admin- 
istration to get a full, updated and accurate picture of 
the current inventory. 


Generic Asset Management Platform 

The deployment of such architecture by using an IA32 
computer running NetBSD 6.0 as the operating system, 
will eventually be followed by the installation of some 
processes running in the background. These processes, 
termed agents, will be in charge of providing gathered da- 
ta about the hardware and software running on them by 
using a unidirectional link so that these pieces of IT equip- 
ment, which are now part of the inventory, are the items 
for associated assets. 


OCS Server Installation Procedure 

Before starting with the installation process, be aware 
that our recommendation is to use the NetBSD 6.0 Re- 
lease on your target computer. If you try it by using the 
latest NetBSD 6.1.2 release, you will get into trouble 
due to some unavailable packages. In order to avoid 
further problems, we recommend the use of NetBSD 
6.0 release with the following settings to properly use 
the pkgsrc system in order to get the necessary pack- 


Management 
Consoles 





Figure 3. Inventory and Asset management functional architecture 
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ages by means of the pkg_add(1m) command. For this 
reason, before starting the installation process, you 
must add the following entries in your .profile if you are 
using a Bourne-like shell: 


PKG PATH="http://ftp.netbsd.org/pub/pkgsrc/packages/ 
NetBSD/i386/6.1.2/A11” 
export PKG PATH 


Thus, the aim of this section is to provide detailed guid- 
ance on installing OCS for Inventory generation and 
management and GLPI for asset management with uni- 
directional interface between OCS and GLPI so that 
manual intervention is minimised. 


Previous Requirements 
Four points should be reviewed before starting with the in- 
stallation of OCS NG Server in Unix platforms: 


1. Apache 2.x Web Server running 
¢ Apache daemon binary [—/usr/sbin/httpd— 
¢ Apache main configuration file [—/etc/nttpd/ 
Net pd.,cont—| 
¢ user account is running Apache web server [apache] 
2. PHP Settings (php.ini) in —/etc/nttpa/— directory: 


post max size = 200M 


upload _ max filesize = 200M 


3. MySQL 5.5 running an instance as TCP service in lo- 
calhost/3306. 

4. Required Perl modules installed available at www. 
cpan.org. 


Hence to install the binary packages required, issue the 
following commands: 


# pkg add apache-2.4.6 
# pkg add php-5.5.4 


The same steps shall be done for the packages required 
to install MySQL DB Server and Client utilities, http:/ 
www.glpi-project.org/ 


mysql-client-5.6.13nbl1 MySQL 5, a free SQL database 
mysgql-server-5.6.13 MySQL 5, a free SQL database 


(client) 


(server) 


and then check whether these two packages have been 
successfully installed. In the case of Apache HTTP server: 


laertes# pkg info apache-2.4.6 
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Information for apache-2.4.6: 


Comment 
Apache HTTP (Web) server, version 2.4 


Requires 


apr>=1.4.5nb3 
apr-util>=1.4.1nb4 
pere>=8.30nb1 


Description 
The Apache HTTP Server Project is an effort to develop and 
maintain an open-source HTTP server for various modern 
desktop and server operating systems, such as UNIX and 
Windows NT. The goal of this project is to provide a secure, 
efficient and extensible server which provides HTTP ser- 
vices in sync with the current HTTP standards. 

This package tracks 2.4.x release. 

Homepage: http:/httpd.apache.org/. 





Install notice 
SNetBSD: MESSAGE,v 1.1 2012/08/26 12:37:34 ryoon Exp §$ 


After apache-2.4.3, 
prefork worker’ is passed to configure script, then a three 
multi-process model is built and you can select the model in 
the configuration file. 

The mod_cgi.so module conflicts with the non-prefork multi- 
process model, and mod_cgi.so module is not built anymore. 
You can use mod_cgid.so module instead. 


--enable-mpms-shared=’ event 











Also, if you are using this procedure, remember that the 
main configuration file http.conf is placed in the /usr/pkg/ 
Qete/httod/hitod.conr directory. 

Once these packages have been installed, it is time to 
download a copy of the source code for both server-cli- 
ent addons; OCS NG Server for UNIX and GLPI, which 
are available at htto:/www.ocsinventory-ng.org and http:// 
www.glpi-project.org/, respectively. Notice that you should 
download OCS Inventory NG Version 2.1RC1, released on 
April 2013 and GLPI Version 0.84, released in May 2013. 

The suggested procedure to install OCS NG Server is 
summarised in the following sequential steps: 


1. Run the -setup.sh— script (Listing 1). 

2. Ensure that all Perl required modules are available in 
the future platform for OCS NG Server (Listing 2). 
Notice that —soap::Lite— Is also rrequired together 
with the features to enable OCS Inventory NG SOAP 
Web Service: Listing 3. 
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This is undoubtedly the most difficult step, as it re- 
quires a lot of patience to get all required Perl mod- 
ules from http:/www.cpan.org site to compile and in- 
stall them before continuing with the installation pro- 
cess. Thus, the process of building and installing a 
new Perl module consists of the following steps: 

a) Download and uncompress Perl module tarball 

b) Build and install the module in our NetBSD host: 


# perl Makefile.PL 


# make 


# make test 


# make install 
3. Ensure that Apache recognizes the following configuration: 


# OCS NG Inventory 
Include /usr/pkg/etc/httpd/extra/ocsinventory-reports.conf 


4. Point a browser to http://localhost/ocsreports to get 
the main HTML page of your Apache Web Server un- 
der NetBSD and fill up the following fields: 





Listing 1. Run the —setup.sh— script 


| Checking for Apache web server binaries ! 


CAUTION: 


Doe you wish to continue (ljy]/m) ? 
OK, Administration server installation finished ;-) | 


Please, review /etc/httpd/ocsinventory-reports.conf 


to ensure all is good and restart Apache daemon. 


Then, point your browser to http://server//ocsreports 





to configure database server and create/update schema. | 


we can ask you to show us this content ! 


DON’T FORGET TO RESTART APACHE DAEMON ! 


Enjoy OCS Inventory NG ;-) 





root@ec151991: /home/c20395/0CS/OCSNG UNIX SERVER-2.0.5# ./setup.sh 


If upgrading Communication server from OCS Inventory NG 1.0 RC2 and 


previous, please remove any Apache configuration for Communication Server! 


Setup has created a log file /home/c20395/0CS/OCSNG UNIX SERVER-2.0.5/ocs server setup.log. 


Tf you encounter an error while running OCS Inventory NG Management server, 


Please, save this file. 
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Listing 2. Ensure that all Perl required modules are available in the future platform for OCS NG Serve 


Checking for DBI PERL module... 

Found that PERL module DBI is available. 

Checking for Apache::DBI PERL module... 

xxx ERROR: PERL module Apache::DBI is not installed ! 
Checking for DED: :mysql) PERL, module... 

Found that PERL module DBD::mysql is available. 
Checking for Compress::Z21lib PERL module... 

Found that PERL module Compress::Zlib is available. 
Checking for XML::Simple PERL module... 

Found that PERL module XML::Simple is available. 
Checking for Net::IP PERL module... 

7 ERROR: PERG mode Ners: EP ers NOL tis tallied! 

xx* ERROR: There are one or more required PERL modules missing on your computer ! 


Please, install missing PERL modules first. 


Listing 3. The —SOAP::Lite— features 


Feature Prerequisites iLiguse sul ily 
Core Package [wl Sea lar sir | always 
Fo Ue 


| I eonsitamt 

[*] Test::More 

[*] MIME: :Base6o4 

Class  iinspecror 
(XM Persian Eo) 


Task: :Weaken 


Client HELP sipeo me [ ] LWP: :UserAgent always 
Cirent ie P Ss up e omr [I Meryok Seo leay em 
Client SMTP/sendmail support [ ] MIME::Lite lane: | 
Civenk BLE V suppor [Pe eSOR Es Prams pomr: BRE a 0a tel) | me 
Cimenk “LCE slp porte DoH -SORP ss Pranspere ss TCR (0h 114) i anor 
Standalone HTTP server | | HEDTP>: Daemon L me] 
Apache/mod perl server [ ] Apache aon 
FastCGI server ieee en 
POP3 server [ ] MIMB::Parser | ne* | 





[*] Net: :POP3 


IO server [*] Oss Fille [ yes ] 

MOV ERans pork supeOreE [SORES Branspore MO 0 ay ta ane 
JABBER transport support [ | SOAP: Yieanspork: JABBER (v0. /12))) | sine | 
MIME messages [ ] MIME::Parser eo meal 

DIME messages Pl ar: Scellanis 1G sO 5) | no: | 


DIME==Tools: (v0.03) 
Dee WUD er(n0k IE) 








Soll) Soe, eee Ce Wisenacysienes | || Oke Seeker. 2b ener 
CoOneress lone UpeerieerOr HEE || | SCompress:: Zils [ yes ] 
MIME interoperability w/ Axis [ ] MIME::Parser (v6.106) [enor | 
== AM asverix ("| sndrecates 1b Ehe module 1s currencly imstaliled, 
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MySQL Login: Ocs 
MySQL Password: ocs 
Name of Database: ocsweb 
MySQL Hostname: localhost 


This script creates 94 new tables in MySQL ocsweb 
database. 

5. MySQL configuration requires to deal with at least 2 
MB for —max _ allowed packet parameter-. So, mod- 
ify the following entry in /usr/pkg/share/mysql/my.cnf 
configuration file: 


max allowed packet = 2M 


OCS Agent Installation Guide 

Once the installation of OCS Server has been success- 
fully undertaken, it is time to install OCS Agents for all IT 
equipment you wish to control. The role played by these 
agents is to provide a way to gather all items to be stored 
as a part of our IT inventory in an automatic way. 

For our purposes, it will be sufficient to illustrate the 
case for Unix and MS Windows platform in order to get a 
working prototype. This prototype can be easily extended 
to a real, more complex IT platform using the procedures 
described hereinafter. 


Hardening the OCS NG Server 

In order to avoid the proliferation of permissions and redun- 
dant grantings, it is convenient to follow the sequence of 
steps below to strengthen security in our OCS NG server: 


1. Set up permissions. 


# chown -R root:apache /usr/share/ocsinventory-reports/ 
OCSrSports 


# chmod -R gtw /usr/share/ocsinventory-reports/ocsreports 


2. Create old_conf directory with write permissions for 
Apache user. 


root@ec151991:/usr/share/ocsinventory-reports/ocsreports/ 


plugins/main sections/conf/old_ conf 


3. Ensure that the user/password of MySQL _ in 


—z-ocsinventory-server.conf—I$S OK. 


# Name of database 

PerlSetEnv OCS DB NAME ocsweb 
PerlSetEnv OCS DB LOCAL ocsweb 

# User allowed to connect to database 


PerlSetEnv OCS DB USER ocs 


www.bsdmag.org 


# Password for user 


PerlsetVat OCs DB PWD. ocs 


A working prototype is installed and available at http://ecd 
11461/ocsreports for free. The access to http://ecd11461/ 
ocsreports is granted by default to user ‘admin’. This fact 
shall be kept in mind to configure OCS NG Agent for oth- 
er equipment. 


GLPI Installation Process 

In contrast to OCS NG server, the installation of GLPI is 
easier to perform for Unix platforms and may be sum- 
marised in the following stages: 


1. Create database. The default login/passwords once 
the MySQL database has been initialized are: 
¢ glpi/glpi for the administrator account 
¢ tech/tech for the technician account 
¢ normal/normal for the normal account 
¢ post-only/postonly for the postonly account 
and that is all and it is ready for use at the URL 
associated to OCS Inventory/Assets Server at 
http:/ecd1146 1/glpi/install/install. php 
2. Install OCS Import plugin (1.6.1) and uncompress in plugins 
directory. Select setup->plugins in GLPI web console. 
3. Enable OCS NG mode in GLPI web console. 


../glpi/files/ log/ocsng fullsync.log 
../glpi/files/ log/sql-errors.log 
../glpi/files/ log/php-errors.log 


Se TN OA 
™“SO/~S ~~ 


»«/Glpi/files/ log/cron..log 


OCS NG/ GLPI Plugin interface 

Log into the GLPI web console interface at http://ecd11461/ 
gipi/ by using “glpi” administrator user as shown in Figure 
4, and select the following options: 





Figure 4. Inventory and Asset management functional architecture 
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1. Setup->General Setup and activate 
2. Setup->OCSNG mode 


and select “localhost” by setting up the following parameters: 


ocsweb 


OCSNG database 

OCSNG database user 
OCSNG database password 
OCSNG database in UTF8 


Active 





Also ensure that Web address of the OCSNG console 
points to htto://ecd11461/ocsreports, which is the OCS 
NG Console URL address. 

Ensure that Plugins -> OCS Import has been setup for 
localhost OCS server. 


OCS Agent Installation Guide 

Each candidate platform to be included in the inventory 
must count with a running OCS Agent to deliver copies 
of the items hardware and software installed periodically. 


UNIX OCS NG Agent Installation 

OCS Inventory Agent for UNIX is nothing else than a Perl 
module whose compilation and linking process is already 
known by professionals. The point is the final configuration 





steps for such an agent. To show the whole process, we are 
going to use a SunOS/SPARC server in which we can in- 
Stall it and get the first results. To begin with, we need to set 
up the following Perl module dependencies for Net: : SMTP, 
which requires the following modules available at CPAN site: 


¢ Crypt::;DES 2.03 
¢ Digest::HMAC 1.00 
¢ Digest::SHA1 1.02 


PN UC a Lua eR OT CTY 


Welcome to the OCS Inventory NG 
Agent 2.0.5.0 Setup Wizard 


This wizard will guide you through the installation of OCS 
Inventory NG Agent 2.0.5.0. 


It is recommended that you close all other applications 
before starting Setup, This vall make it possible to update 
relevant system Files without having bo reboot your 
conmpuber. 


Click Next to continue. 


Figure 5. OCS Agent for MS Windows installation process (I) 





Listing 4. Questions 


Where do you want to write the configuration file? 
00+) / ek Ocsinventony 
i => ust, local ete, ocsinventory 
2 -> /etc/ocsinventory-agent 


eee 


Do you want to create the directory /etc/ocsinventory-agent? 


Please enter ‘y’ or ‘n’?> [y] y 


[pmo | ihe kconig ile wih be wertten mi /etc, ocsiiventory/ocsmnventory—aqenmt. cra, 

What is the address of your ocs server?> [ocsinventory-ng] localhost 

Do you need credential for the server? (You probably don’t) 

Please enter ‘y’ or ‘n’?> [n] 

Do you want to apply an administrative tag on this machine 

Please enter ‘y’ or ‘n’?> [y] 

aG 2 ec lLoloor 

ocsinventory agent presents: /usr/local/bin/ocsinventory-agent 

Dow YOUlWanty to install the cuon task im 7 etc, croned 

Please enter ‘y’ or ‘n’?> [y] 

Where do you want the agent to store its files? (You probably don’t need to change it)?> [/var/lib/ocsinventory- 
agent] 

Where do you want the agent to store its files? (You probably don’t need to change it)?> [/var/lib/ocsinventory- 


agent] 
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PMT CUCL eaten tT 


OCSc sre tome . 


inventory Please review the license terms before installing OCS Inventory 
NG 4gent 2.0.5.0. 


Press Page Down to see the rest of the agreement. 
[eee Abb ed eee AAA ib eee kc ; 
Ocs Inventory NG Licence 


elf ef ll fof oft fe aft fain ein fs fi fn fe ofa ff eff ef so ofall of ooo oie of ot fr 


| 


|OCS Inventory NG software is released under the GNU GPL version 2 license a , = 
(see below). 


However, this product is also subordinate to the License Agreements of the 
software components included in OCS Inventory NG Agent for Windows, 





i Openssl, CURL, TinyXML and ZipArchive. - 
IF you accept the terme of the agreement, click I Agree to continue. You must accept the 
agreement to install OCS Inventory NG Agent 2.0.5.0, , 
cease 
Figure 6. OCS Agent for MS Windows installation process (II) 
HB OCS Inventory NG Agent 2.0.5.0 Setup 
Or SB Choose Components 
iwwentoru S Choose which features of OCS Inventory NG Agent 2.0.5.0 you 
vant bo install, 
Check the components you want to install and uncheck the components you don’t wank to 
install, Click Next to continue. 
Select the type of install: . 
Pee ae | Working data folder 
COMPonents you wish to ie 4 ec 
rectal: Upgrade from 1.x Agent 
OS Inventory agent 
| Network inventory (server reachable) 
‘| Local inventory (no network, connection) 
| Uninstaller 
Description: 
Space required: 17. 7M6 
You can talk the talk. 
PTE Laem es 
| < Back I 
e e e e 7 
Figure 7. OCS Agent for MS Windows installation process (Ill) SAU 


onl 1 Inventory NG Agent 7.0.5.0 Setup 


Or Ds OCS Inventory NG Server properties 
Dw wee hear y } 


Fill in OCS Inventory NG Server address and options... 


Server URL ( http[s]:/ivour_ocs_serverfiocs server_port):/ocsinventory } 


http: feed 11461 /ocsinventory 


Server credentials (optional... 
User : ocs 


Password : ooeeeees| 


server security (DISSGBLING THIS [5 NOT RECOMMENDED)... 
(“| Validate certificates (specify path to file cacert.pem below) 


CA Certificate path | cacert.pem 


< Back | Next > | Cancel | 


Figure 8. OCS Agent for MS Windows installation process (IV) 


Please see www.uat.edu/fastfacts for the latest information about 
www.bsdmag.org degree program performance, placement and costs. 








NETBSD 6.0 


Once the —setup.sh— script is running, A few questions 
must be answered (See Listing 4). Hence, it is possible to 
start the process of periodically gathering all available infor- 
mation provided by this Solaris host. Notice that this info will 
be stored in the MySQL database defined for OCS, which 
acts as a backend of our IT inventory/assets platform. 


MS Windows OCS NG Agent 

Installing OCS NG Agent for MS Windows platforms is a 
really straightforward process as an installer, shown by 
Figures 5 to 8, which is provided to simplify the process. As 
a result, the configuration file is placed in -ocsinventory. 
ini— whose contents are shown in Listing 5. 


Hardening the OCS NG Server 

In order to avoid the proliferation of permissions and re- 
dundant granting, it is convenient to follow the sequence of 
steps below to strengthen security in our OCS NG server: 





Listing 5. The configuration fle is placed in —ocsinventory 
[OCS Inventory Agent] 

ComProvider=ComHTTP.d1ll 

Debug=1 

Local= 


NoSoftware=0 


HKCU=0 

NoTAG=0 

IpDisc= 

re? | 

Server=http://ecd11461/ocsinventory 

SSL=1 

CaBundle=cacert.pem 

AuthRequired=1 
User=53kCz99TdagohlmaatjMVA==| | | 4Z2qgRoYC8QEbw1 fa81i1P2NCg== 
Pwd=nh5 fWTdG4 4Nb+x80xxXrZXg==| | | BSGQu3tuUhNiLQytAjV4Ng== 
ProxyType=0 

PEOx y= 

ProxyPort=0 

ProxyAuthRequired=0 

Eien User— 

ProxyPwd= 

[OCS Inventory Service] 

TTO WAIT=15540 

PROLOG FREQ=24 

OLD PROLOG FREQ=24 

Now the installed MS Windows agent is ready to gather 
all data concerning the hardware and software in order 
to populate the MySQL database created during the OCS 


Inventory NG installation process. 
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1. Set up permissions. 


# chown -R root:apache /usr/share/ocsinventory-reports/ 
OCSIrepOrcts 


# chmod -R gtw /usr/share/ocsinventory-reports/ocsreports 


2. Create old conf directory with writing permissions 
for Apache user. 


root@ec151991:/usr/share/ocsinventory-reports/ocsreports/ 


plugins/main sections/conf/old_ conf 


3. Ensure that the user/password of MySQL _ in 


—z-ocsinventory-server.conf-— I$ OK. 


# Name of database 

PerlSetEnv OCS DB NAME ocsweb 
PerlSetEnv OCS DB LOCAL ocsweb 

# User allowed to connect to database 
PerlSetEnv OCS DB USER ocs 

# Password for user 


PerlSetVar OCS DB PWD ocs 


A working prototype is installed and available at http:// 
ecd11461/ocsreports for free. 

The access to http://ecd11461/ocsreports is granted by 
default to user ‘admin’. This fact shall be kept in mind to 
configure OCS NG Agent for other equipment. 


Asset Management Platform 

Asset Management Installation Process 

In contrast to OCS NG server, the installation of GLPI is 
easier to perform for Unix platforms and may be summa- 
rized in the following stages: 


1. Create database. The default login/passwords once 
the MySQL database has been initialized are: 
¢ glpi/glpi for the administrator account 
¢ tech/tech for the technician account 
¢ normal/normal for the normal account 
¢ post-only/postonly for the postonly account 
and that is all and it is ready for use at the follow- 
ing URL: http:/localhost/glpi 
2. Install OCS Import plugin (1.6.1) and uncompress in plugins 
directory. Select setup->plugins in GLPI web console. 
3. Enable OCS NG mode in GLPI web console 


../glpi/files/ log/ocsng fullsync.log 
../glpi/files/ log/sql-errors.log 
../glpi/files/ log/php-errors.log 


™“SO/~S ~~ SS ™™ 
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../glpi/files/ log/cron.log 
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Inventory-Assets Interface 

GLPI/OCS NG Plug-in Installation Process 

Log into the GLPI web console interface at http:/ 
ecd11461/glpi/ by using “glpi” administrator user and se- 
lect the following options: 


¢ Setup->General Setup and activate 
¢ Setup->OCSNG mode 


and select “localhost” by setting up the following param- 
eters: 


OCSNG database ocsweb 
OCSNG database user Ocs 
OCSNG database password pass 
OCSNG database in UTF8 Yes 
Active Yes 


Also ensure that the Web address of the OCSNG con- 
sole points to http:/ecd11461/ocsreports which is the 
OCS NG Console URL address. 

Ensure that Plugins -> OCS Import has been setup for lo- 
calhost OCS server. In this way, we are ready to import all 
data gathered by the inventory management platform based 
on OCS NG to GLPI as the platform to manage all assets 
associated to these items, which are part of the inventory. 


GLPI Data Import from OCS NG Inventory 

A plugin for GLPI named OCS NG provides a unidirection- 
al interface from OCS NG data to GLPI in order to develop 
the required asset management. 

Once all inventory data has been gathered by OCS NG 
Inventory database, this data can be transferred into the 
GLPI database by using OCS NG plugin for GLPI, accord- 
ing to the picture given by Figure 9. 

As a result of the latter import, the GLPI database con- 
tains all new inventory data as shown in Error: Reference 
source not found, which will be the basis to define some 
company assets, such as: 


¢ Maintenance Contracts 

¢ Support Contracts 

¢ Licensing Renewals 

¢ Incidences and Problems 


Notice that the data collected automatically by OCS NG 
Agents is periodically updated, so that this data can be 
synchronized with GLPI in order to get an updated view 
of all assets in the company. 

The final picture achieved at the end of the process de- 
scribed above is depicted by Figures 10 and 11. 
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Main Features 

Rather than giving a list of the main features provided by 
this asset management platform, it is much more useful 
for end-users to give answers to a set of common ques- 
tions to illustrate some practical applications: 


Dynamical groups 
Let me use a real case in our working environment in 
which we have a running OCS/GLPI installation to han- 
dle inventory and asset management. Suppose you are 
asked for the number of personal computers having IBM 
DOORS(TM) 9.1 installed and their hostnames. The an- 
swer is logically provided by the dynamic groups feature. 
Dynamic groups allow categorization of systems by dif- 
ferent criteria, i. e. those computers having DOORS 9.1 
installed or other software as it is shown by Figure 12. 


re ee ee tt ly 
Fe GG Vere Minto )©= Books «Books Hein 
_ Prone Management |b ordre test | cata ©) Gr GLPL- 005 Bevrenbory WG | 
= eco 149 - + *#& 





i Bi = gece a hectare 


(Ba ieee Vented GP Getting Started [ Cuntomse Linke [| Free Hotel | Wirclzert Marhetplecy | (Wire Media [  Windoes | Buapberry i= 


Check first that duprates hue heen fon e-cthy Maange iy CH, Ke 
Check MES Geriheck AM 


Ecorse Cael ee: Cepiiigen TB LY 


MEG Sun_Mertdypitend [SPARC Enterprine MMOO0 Server (SUNY SRARC-Enterprine) f CPO 


RLV hreiee-Pectend bP Compaq (20 (Mad) RA CM 


Check ABS @rrheck Al 


—— CLPIQUDT Copyright [0/2000 S01) by the CT Ceeeicpenernd Geom, | 
bE 


DP eet Po Prevour i ght ff Others 9 LP Reached end of page, continued bom ioe 


Figure 9. Data import from OCS NG Inventory server to GLPI Asset 
Management server 
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Figure 10. GLP! imported data from OCS NG Inventory server 
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To conclude, the process of creating one of such dy- 
namic groups consists of choosing in our OCS Inventory 
server URL the option ‘Search with various criteria’ and 
then selecting all items matching the software name we 
are looking for. 


Conclusions and Remarks 

One of the most common issues facing heterogeneous 
IT platform management for large companies is the lack 
of suitable tools to tackle daily activities in order to con- 
trol and trace changes in hardware and software installed, 
as well as the tasks related to maintenance support and 
license renewals that can affect some IT equipment. 
Hence, to shed some light as well as to avoid the use of 
manual inventories, which constitute a big source of mis- 
takes and are difficult to update and control, we have de- 
scribed the detailed steps to be followed in order to set up 
a seed platform to deal with big IT platforms. 
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Figure 12. Dynamical groups usage 
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References 

The two main references to get all source code and related 
documentation for OCS Inventory NG and GLPI software are: 

¢- OCS Inventory NG —- www.ocsinventory-ng.org 

¢« GLPI Assets Management - www.glpi.org 


Also recommended is the main site for Comprehensive Perl Ar- 
chive Network in which you can find all necessary modules to 
deploy SOAP-based features required by the tandem OCS/GLPI. 


¢- CPAN Main site - www.cpan.org 








There are, however, a lot of commercial products that 
could provide you the necessary help and support, but 
they can be expensive and what is more, have a degree 
of complexity that is not required in many cases. In such 
a case the choice of OCS/GLPI tandem suits well to serve 
your needs, which is especially important if you cannot af- 
ford to pay the fees for such commercial solutions. 

Although the purpose of this article is not to show all 
advanced features available, we recommend strongly to 
read a copy of the book “IT Inventory and Resource Man- 
agement with OCS Inventory NG’, written by Barzan An- 
tal, which constitutes a great support for advanced topics 
on this question and allows to get a taste of the possibili- 
ties offered for IT Administrators. 


Acronyms and Abbreviations 


BIOS Basic Input-Output System 

COTS Commercial-Off The Shell 

CPAN Comprehensive Perl Archive Network 

FOSS Free Open Source Software 

GLPI Gestionnaire Libre de Parc Informatique 

IT Information Technology 

NG Next Generation 

OBP OpenBoot PROM 

OCS Open Computers and Software 

PROM Programmable Read-Only Memory 

SNMP Simple Network Management Protocol 
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FreeBSD Programming 





Primer — Part 10 


In the tenth part of our series on programming, we will improve the 
login process, add more security, and keep spam robots under control. 





What you will learn... 
- How to to configure a development environment and write 


HTML, CSS, PHP and SQL code 


What you should know... 


¢ BSD and general PC administration skills 





n the previous article we put in place a very crude login 
system that allowed anyone to login to our CMS and add 
content. We assume that the user has been correctly au- 
thenticated by comparing their password against a hashed 


password stored in the CMS database, then writing a cookie 
at the client side. It is then a simple matter of checking that 
authorization has been granted prior to carrying out sensitive 
actions (e.g. adding a user or amending content). 





Listing 1. Logout function 


funckron Vogout () { 


setcookie (KEYNAME, LOGINKEY, time()-3600, “/”); 


echo “You have been logged out”; 


Listing 2. Adding the logout logic 


}elseif (Saction == “appendnewlogin”) { 

Duseuseneou— eb Ooll Username |, 

Spassword = $ POST[“password”]; 

sauth = $ POST[“auth”]; 

appendnewlogin(Susername,Spassword,Sauth,$sql) ; 
}elseif (Saction == “logout”) { 

// Logout the user 

logout () + 


}else{ 


// Mivealid action Kequesi login details 





requestlogindetails(); 


Listing 3. /ogoutform 


Fumerion Mogouctrorm(){ 


// Check if user is logged in, if so display the logout 
bur bom. 


require once ‘includes/cms.inc’; 


iSO LG  IIN(OIUIDIES: 8 Wexeyahiey Shige’ 
if(isset($ COOKIE[KEYNAME])) { 
echo “<divrud=" logouk >’ ; 


echo “<form action= login-php” method="post” >’ ; 


echo ‘<input type="submit” value="logout”>’ ; 





echo ‘<input type="hidden” name="action” 
value="logout”>! ; 
echo </form>’ > 


Schou <7 civ == 
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SECURITY 


Unfortunately, exposing any login system on the World 
Wide Web leaves us open to undesirable elements. Brute 
force attacks (repeatedly attempting a login using diction- 
ary attacks) and spambots that want to add advertising 
or phishing spam are commonplace, and our basic login 
system needs to defend against this. We also need to add 
logout functionality to every page that requires it. 


The logout functionality 
As the parameters passed to the cookie that is set when 
we are logged in, it makes sense to hold the logout func- 
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Figure 1. Login — no cookie present 


tion as part of the /ogin.php page. We can then detect a 
logout post event to /ogin.php and delete the cookie by 
setting the expire date to a time in the past. Add the follow- 
ing code at the end of /ogin.php (Listing 1). 

Now we need to check for a post event that carries the 
value logout. Add the following elseif branch between ap- 
pend and the closing else (Listing 2). 

We now need a logout form() function that will provide a 
logout button whenever a user is logged in to the system. 
If we check whether or not the user is logged in we can 
place this in the footer of all pages where login / logout 
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Figure 2. Cookie present but no logout button 





Listing 4. Test to see if user is logged in 


FUNGCELOn: TrnOrlogqgedi in) { 
// Check if user is logged in, if not, redirect to 


leg nae Owen 
require once ‘includes/login.inc’; 
if(!isset($ COOKIE [KEYNAME])) { 


header( ‘Location: http://’.CMSDOMAIN.’/login.php’ ) 


. 
y 


Listing 5. Set our domain 


LE Ole (elena 


define (“CMSDOMAIN”, ‘192.168.0.118’); 


Listing 6. amendcontent.php 

// Check we are logged in 
ifnotloggedin(); 

// Build the page up to the body tag 





outfile (TEMPLATES . ‘header.inc’); 


Listing 7. phpinfo.php 
<?php 


// Check we are logged in 


require once ‘includes/cms.inc’; 
Beque oN eLUDE Sa COMbeh linc: | 
eG UdieS sN Ci UIDE Seam dee t emmnae. a, 
ifnotloggedin(); 

phpinfo(); 


logoutform() ; 
Listing 8. amendcontent.php and login.php 


echo. BODY: 


LoOgouErorm (); 


Listing 9. global.css 

#logout { 
tlOate. ae Login 
backgnveund=color: Lomare; 
Padoang2 js; 


border=radi ts: 0px; 
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Figure 3. Cookie present — logout button visible 
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Figure 4. Logout button visible on new faq's page 
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Figure 6. Logout button on phpinfo.php 
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Listing 10. validatelogin() 


setcookie (KEYNAME, LOGINKEY, time()+3600, “/”); 


// Display options 


Stitle = ‘Welcome * . Susername; 


buildheader (Stitle) ; 
echoy wraptag( Al”) stmt le) > 


echo ahref(‘Add or amend content’, ‘/amendcontent. 


php’); 
burldeooter(): 


Listing 11. Replacement buildheader(); 


function budildheader(Stitle, Storcelogour = 0) { 
// As cookies need to be set before any output is 
sent to the browser 
// use a function call to build the page header 
// Build the page up to the body tag 
outfile (TEMPLATES . ‘header.inc’); 
echo Wraptag(“titile’ , stitle); 
echo HEAD; 
echo BODY; 


logoutrorm(storealogour): 


echo “<div id=" content” >": 


echo ‘<div id="php”>’; 


Listing 12. Amended validatelogin(); 


setcookie (KEYNAME, LOGINKEY, time()+3600, “/”); 


// Display -opt1ons 


Stitle = ‘Welcome * . Susername; 


buildheader ($title,1); 
echo wraorag ( mh” Startle) - 
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functionality is required, and the button will be displayed 
only if the user is logged in. Add this to the end of core. 
inc (Listing 3). 

We need to add a function call to check if the user is 
logged in or not, and redirect them to the login page if they 
are not. Add this at the end of core.inc (Listing 4). 

As we cannot guarantee that the user does not spoof 
HTTP headers for the redirect, define our CMS Domain 
in cms.inc. Replace 192.168.0.118 with either the IP ad- 
dress or domain name of your server (if accessible via 
DNS). (Listing 5) 

Add the ifnotloggedin() function call to the beginning 
of amendcontent.php and replace phpinfo.php with the 
content in Listing 7 (Listing 6 & 7). 





Figure 7. The fixed welcome page 





Listing 13. Amended logoutform(); 


function legouttorm(storcelogour, = 0) { 


77 Check 1f user is logged in, if so display the 
lkoeromie loner 


require once ‘includes/login.inc’; 


if(isset($ COOKIE[KEYNAME]) || $Sforcelogout == 1){ 


echo ‘<div id="logout”>’ ; 


Listing 14. Add spambot field to requestlogindetals() in login.php 


echo ‘Username’ . div(‘<input type="text” 


name="username”>’ ,Sclass); 
. div(‘<input type="password” 


echo ‘Password’ 


name="password”>’ ,Sclass) ; 





“jpaddress’ varchar(64) NOT NULL, 
“page varchar(64) NOT NULL, 
“status int(1) NOT NULL, 
‘timestamp’ timestamp NOT NULL DEFAULT CURRENT __ 
MME OTAME TONGUE DEE CURRENT St ivinotaMn, 
PRIMARY KEY (*id*) 
) ENGINE=InnoDB AUTO INCREMENT=0 DEFAULT CHARSET=latinl; 


Listing 17. sqistatements.inc 
<?php 
le 

x 

* sqlstatements.inc 

* Contains CMS SQL statements 


* 


e 








echo “Email” . div(*<input type="text” ssql [0] = “INSERT DNTO access ( ipaddress , page ; 
name="email”>’ ,’ loginemail’); “status’, ‘timestamp ~) 
echo ‘<input type="submit” value="Submit”>’ ; OAUIUE PCG, Seem Peer ere eee! lo) Nea eee 
now()) 7"; 
Listing 15. Remove the comment out from createnewlogin, suffix Ssql[1] = “SELECT status FROM access 
with // to revert to normal login action WHERE a pacdsese-e pgs 
He (bose eo iy cero al) 4 AND status > 0 
sc pIRT VINES 
createnewlogin(); 
Add the following line to cms.ine [isting | 
} 
// Honeypot for bad traffic 
Listing 16. xx 
define (“HONEYPOT”, ‘www.google.com’ ); 
CREATE TABLE “access ( 
‘id int(l0) unsigned zerofill NOT NULL AUTO INCREMENT, 
«| BSD 11/2013 
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Listing 18. mysq/_select() 


CIMeICLOm imysel Selec see) | 


Sdo = new mysgli(DBSERVER, DBUSER, DBPASSWORD, 
CMSDB) ; 


Hie do COlme cure mano a0) my 
die(‘Unable to connect to database [* 
ae: 


~Cb=>eceMmec emer nor 


} 


if ('sresult = Ssdb->query (ssql)) { 
if (DEBUG) { 
die(‘There was an error running the query [* 
Sdb->error ee yes 
} else { 


die(‘’); 


// Pass our results to an array to be returned 
Heo Se (lee cae immo ey yy 


Sr = array(); 


Sr[] = Sresult->num_rows; // No of rows returned 
Sr[] = $db->field count; // NO? Of Columns ain 
table 


Sr[] = Sdb->affected_ rows; // No of rows affected 


e.g. update / delete 
// Append the results to our result count 
if (Sresult->num_ rows != 0) { 
ae eel leach NCA (tay eta ne ee A 


array (MYSOLI ASSOC)); 
} 


/ (cee enero sullr 


Sresult->free() ; 


}else{ 


Sr = NULL; 


// Close the connection 
Sdb->close(); 
return Sr; 
Listing 19. Additions to core.inc 
function loginsecurity() { 
require INCLUDES ‘sqlstatements.inc’ ; 


(/ CeCtwel tent me adatecs 


$9 SERVER[“REMOTE ADDR”]; 





Sip = 


UP (iss cm (ome Ost) emenel |) yh 


// email will always be set, check if it is populated 


oom 20S) (Gl emeaan |e —— ea) 4 


(7) Bane em 


banip(sip,. lLocam-pnp- )}- 


}else{ 


// Check that they have not been flagged as 


Susp LeTous 
$s = Ssql[1]; 
os = stu veplace ( @>--P0--— 9) Sip, ss); 


Pecou he milo iprcec Miewe( oc) 


if (Sresult) { 


foreach(S$result as Srow) { 


Sstatus = Srow[0]; 


}else{ 





BSD 


MAGAZINE 


28 | 


11/2013 








FreeBSD Programming Primer - Part 10 





Severus S 10F 


mysql select ($s); 


// Redirect to our honeypot 


header( ‘Location: http://’ 


function logip(Spage) { 


i) use Log ao vasa 


$s = $sql[0]; 

Spe = oe bench lace: ( “=ssP0sa=" 
So = sta replaces( QSeoPlao=! 
So = strereplacs: ( “S==PZ=—2" 





Sip = $ _SERVER[“REMOTE ADDR”]; 


’ 


' Spage ' oS ); 


’ 


// Redirect to our honeypost if status is set 


if(Sstatus !== 0){ 
header( ‘Location: http://’ . HONEYPOT ) ; 
} 
} 
} 
function banip(Sip, Spage) { 
require INCLUDES . ‘sqlstatements.inc’ ; 
// Ada to our bamlast 
os = Ssel [0]; 
Se) = sur meplace ( “Ss=sblaao” op Gos) )] 
OS) = owiggcop lace | (@) Sao ela pede sce): 
SS = sta Leplaces (Sea Plaae Ley os); 


. HONEYPOT ) ; 


require INCLUDES . ‘sqlstatements.inc’; 


sere mea 


Ress ye 


mysql select ($s); 


Listing 20. Replacement validatelogin() 


function validatelogin(Susername, Spassword, $sql) { 


// Create a session to keep track of our login 


abreiipEs 

Seco Tom moiwaian()) 

// As the password is hashed and hopefully cannot be 
decrypted, 

// We need to send the encrypted password 


Shashed password = hash(‘whirlpool’, $password) ; 


// Fetch credentials from DB, if match create a login 


cookie 

ss = $sql[0]; 

Dio tate OS ie) oak ae oc acm = conn) e, 

Oo eoletee ope inne ee he ea oncdmocico wor dm ames 


ie. 


PEecsuUliue= mMycqmeerercimows (os), 


if (Sresult) { 


foreach(Sresult as Srow) { 


Sauth = Srow[1]; 


}else{ 


Seliie ieee 


if (Sauth == 1) { 


// Log our sucessful login 


login (login php: )-; 
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| 


// Reset our attempt count in case they login 


again 


Unsei(> SESSION | \loginattenpts’ ])); 


/ ) MG ecaremanenmcoomne 


setcookie (KEYNAME, LOGINKEY, time()+3600, “/”); 


// Display options 


Stitle = ‘Welcome * . Susername; 


buildheader (Stitle,1); 
echo wraptag(“h1”,Stitle) ; 


echo ahref(‘Add or amend content’, ‘/amendcontent. 


PLO ye 


Dut lGkoorer () 


}else{ 


// Keep a track of the number of attempts we have 


made at logging in 


LE (leseu (> SESsiON | “loginatcempus |))4 


9 SESSION[‘loginattempts’] = $ 


SEUSS LON; WoGgineawmeenpEs Ih; 
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}else{ 


9 SESSION[‘loginattempts’ ] 


Wl 
J 
“Ne 


// If they have exceeded our limit, ban ‘em 


Li(> ShosiON [  Teginecrencis | >.2)4{ 


Sip = $ SERVER[“REMOTE ADDR”]; 


bani (sip. Logi msohpe je 


(7 Wig sagen 


requestlogindetails(); 


Listing 21. Modified buildheader() 


// As cookies need to be set before any output is sent 





to the browser 


// use a function call to build the page header 


j/ mOMeCk Wevare Nel On ene ban plist sand then Wwe ware 


quent. vl yer icolclone 


loginsecurity(); 


// Build the page up to the body tag 


outfile (TEMPLATES . ‘header.inc’); 


Listing 22. Hide the email address field 
.loginemail { 


Vistouli ny: Medden. Mimporrant, 
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Figure 8. The login page with the email “honeytrap” 
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Add the logoutform(); after every occurrence after echo 
BODY; in login.php and amendcontent.php (Listing 8). 

Add the following to global.css to highlight and position 
the logout button (Listing 9). 

With Firebug enabled in Firefox, check that a cookie 
called gp19867fghl1ls is created when a user is logged in. 
The logout button should appear on all pages except the 
second time login.php is called and we arrive at the wel- 
come page (Figure 1 — 6). 

Now this is a problem, as we should be able to logout im- 
mediately after we login. Subsequent calls to login.php will 
show the logout button. So what is happening here? The 
problem lies in the validatelogin() function (Listing 10). 

We must set the cookie prior to creating the page header, 
but as the cookie data is generated at the client browser 
side when the page is loaded, as far as the PHP code run- 
ning at the server side is concerned the cookie is not pres- 
ent yet. We can fool buildheader() by passing a parameter 
to force the display of the logout button (Listing 11 — 13). 
This will result in login.php working as desired (Figure 7). 


Spambots and robots 

While we could use the very effective Apache MOD_SECU- 
RITY module to trap bad behaviour, this can be tricky to set 
up. What we will do here is monitor behaviour in two ways. 
First, we will create a hidden field that a normal user will not 
see under normal circumstances, which most spam-robots 
will fill in assuming it is a genuine field. On completing the 
field, our CMS will automatically ban all connections from 
that IP address to login.php permanently. 

We will also check that no more than 3 invalid attempts 
are made to the login.php page, and if that is exceeded, 
that IP address will be banned as well. 

First create another testuser by changing login.php 
as follows and visit login.ohp anew to create anoth- 
er user (e.g. Test, Test, Auth = 1). Don’t worry about 
the error messages — we will fix them later. Once you 
have created the new user, go back and comment out 
createnewlogin(); and check that you can login as the 
test user (Listing 14 and 15). 

If you visit login.php you should be able to login as Test 
(Ignore the Email field), then Logout. (Figure 8). Now cre- 
ate our access table in MySQL to hold our banlist (Listing 
16). Now create the file sqlstatements.inc in our includes 
directory (Listing 17). Replace the mysql select () func- 
tion call in mysql.inc with the following code (Listing 18). 
This fixes a bug where a PHP error is raised when no re- 
sults are returned. Add the following function calls to core. 
inc (Listing 19). Replace validatelogin() in login.php with 
the following code (Listing 20). Modify buildneader() in 
login.php to call 1oginsecurity() (Listing 21). 
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PHP manual — http://php.net/manual 





Testing 

It is recommended that you run Firebug to view the cook- 
ies and PHP sessions generated during this test. Clear all 
cookies etc. from you browser and visit login.php: 


¢ Login as Test with the correct password. You should 
be able to login. Logout. 

¢ Login as Test with the correct password and an email 
address. You should be redirected to google.com. Any 
visits to login.php will cause a redirect to google.com. 

¢ Use Adminer to clear all the entries from the access table. 

¢ Visit login.php and click on the submit button 3 times 
without making any input. You should be redirected 
on the 4" attempt. 

¢ Use Adminer to clear all the entries from the access table. 

¢ Visit login.ohp and login and logout as normal. Your 
access attempts should be logged correctly with IP 
address and date. 

¢ Login with a mixture of bad username and good 
password, good username and bad password. You 
should be banned on your 4" login attempt. 


CSS modification 

Finally, add the following code to global.css and refresh 
your browser with Ctrl F5 a couple of times to clear the 
cache. The email field should now be invisible to human 
visitors, but available to robots etc. (Listing 22). 


Next steps 

It might be a good idea to add the banlist functionality to 
all pages on a failed login etc. and keep a tally of what 
pages are accessed etc. legitimately. We also need to add 
the facility to add a user rather than manually editing code 
each time. Our CMS is getting quite large, with over 2,100 
lines of code (excluding the Jquery libraries) so we will 
look at refactoring some of this code in the next article. 


ROB SOMERVILLE 
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ing iron handy just in case. 
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PfSense + Snort: Fast 


Pfsense is a FreeBSD-based distro specially oriented as a 
security appliance for firewall UTM with many modules 
ready for more functions. You can integrate things like 
squid, dansdnsguardian, varnish, mod_security, and... snort! 


wall rules, you can pass the address from snort alerts 

sources to firewall to block attacks at wan interface. 
This is really cool. 

Easy and fast, no scripting, no configuration files, just 
use the web interface to run everything. Also FreeBSD 
has reported one of the best performance results at TCP/ 
IP stack benchmarks, paying attention to security, so | 
think this is a good starting point. 

The software has a lot of possibilities. You can use it in 
embedded appliance systems with compact flash storage, 
on virtual appliances (you can even download a virtual 
hard disk with installed one), or on any standard machine, 
booting from a live CD or from HD and there are also isos 
for x64 and x86 architecture. 

For practice, it will be useful if you write down the MAC 
addresses from your interfaces somewhere. 

On this fast startup, we will install a virtual appliance 
from scratch for the example but the steps are the same 
for any physical install. 

The first step is to download an iso from the official site an 
iso to boot on our machine. Just enter pfsense.org and go to 
Downloads. Click on “here on the mirrors” and select a mir- 
ror. You will get a list of possible sources, just get the one you 
need, typically pfSense-2.0.1-RELEASE-[arch].iso.gz. 

Once you have downloaded and burned the CD, just 
start from it and it will show the boot menu with typical op- 
tions: default, without acpi, safe start... Just let it start at 
default, and it will ask for Live Boot or Install. Press “i” for 
install and a GUI will prompt for character and keymap 
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sets, you can choose your own or just change Keymap to 
the one of your country. Once selected “Accept these Set- 
tings” Select Quick/Easy Install and go, this option erases 
automatically the HD and repartitions it. 


Figure 2. Vian Creation Assignment prompt 
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PfSense + Snort: Fast approach 


The next step is to choose the Kernel type: Symmetric 
multiprocessor (in case you have more than one core), 
Embedded Kernel (without VGA and Keyboard for typical 
rack appliances) and the developers one. For our exam- 
ple, obviously choose the first one. 

It copies all necessary files and asks for reboot. Remove 
the CD from the tray, let it restart and see how it boots. 

After the reboot as it says the next default values 
are loaded: 


¢« IP address at LAN Interface 192,168,1,1 
« Username: admin 
¢ Password: pfsense 


Anyway an assistant will help us at boot to assign inter- 
faces at startup, It shows a prompt asking for VLANs 
creation if needed. For this example we will create 2 
VLANs at LAN interface, one for data and one for voice, 
SO We answer y. 

At this moment, it would be useful to know the Mac ad- 
dress of each interface and where are they connected, 
here comes the vlan assignment, see Figure 2. 

After the Vlan info, you can simply press enter with- 
out entering any info and it will show a brief of vlan as- 
signment, and start the interface network assignment, 


Tl A eae THE 
eld ee 
‘isto ee lla, 


Cen: Se Te if finished): 


ios the parent interf< : 


JLAH interfaces: 


emi vilani®é 
a es 


JLAN tag 16, parent interface emi 
ee ee a ed i | 
Shwe to function. 


et ae ed ee ee oe ee | 


lf qou do nol hawe #Al LEAST=# 1 intertaces you LARAUT continue. 
If you do not have at least 1 «REAL» network interface card(s) 
Te ee ee ee ee a ee ed le 

od ee ea a ad 


you may choose to use 


of your Ilnterfaces, : 
now before 


If you do not know the name 
4to-detection. in that case 


initiate auto déeteétian. 


eee i ee he oi ee 
ae "a to 


Enter the WAH interface name or ‘a for auto=-detection 


Figure 3. Vian Resume and Interface Asignent 


SO a ee | | | 

not know the names of your interfaces, you may choose to use 
‘a Lha ie UP. bree] ra isconnect 1 | | hae I [ Ale ee before 

a to initiate auto detection. 


a : , 
ce as | | ‘eee a et a ee ee he 


iL eh eA Sed et ee ed 


e LAN interface name or ‘a’ for auto=-detectio 


ed a ee 
wthing if finished): emi 


he Optional 1 interface name or ‘a’ for 
othing 2 ie me Ged et ed 


e Optional 2 interface name or ‘a* for 


ee i eed te 


Ee interfaces will be assigned as follows: 


Figure 4. /nterface to network type assignment 
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at this point you inform the system what interface will 
give access to wan network, to lan, dmz and others if 
you have them. 

lf you don’t know the interface Mac address, the as- 
sistant offers an auto-detection method for selecting the 
correct interface, just disconnect all network wires from 
the machine and press “a”. After that, it invites you to 
connect the wire to the NIC card selected for that kind of 
network. In this case, the first one it asks for is WAN, so 
if you plug a wire on the physical interface and establish 
the link, the system detects what interface is up and gets 
its Mac address. 

Once you've finished, just press “enter” without the pre- 
vious value and it will show you a brief and prompt for pro- 
ceed assignment. Press “y” and “enter”. 

At this moment, you've reached the end of the basic 
install (Figure 5). Now you can modify the default IP ad- 
dress assigned for lan network to the one chosen by you, 
just press 2 and enter, interface, IP and netmask, it will 
ask you about enabling a DHCP service. Answer as you 
need for your case. It will then ask about using http pro- 
tocol for admin. You can answer “y” now and change to 
https later, as you wish. 

Now you have to access from a lan machine to the ad- 
ministration URL shown at brief (Figure 6). 


ta ee! mins DHS forwmrder done 
onfiguring firewall.....-done 

i od | 

ne 


ae 


Generating RAD graphs, 
starting CHRON... done, 
Toren) ere) Teas 


‘Pee a ee ee ee i 


Se ee a ae a eT el de 
Sen Pe > 16.6,.24.15 (DHCP) 

LAH Claw) > cml > 192.168.1.1 

te eee ee te. >» AURE 


8) Logowt (SSH only) i ed ee 
1) fissilgn I! 

2) Set iwterfacets) IP address 

1] KReset weblonl iqurator pas swore 
4) Heset to factory defaults 


aol 

6) Filter Logs 

ee i a 
ra MST | bey Wha iy loper ae 
ed cet oe ed J) Upgrade from console 
6) Halt system oie ah) eet) | | 


cee we ee 


ENnLErF an option: 





changes are saved to LAH... 


Flease wait while the E 5 
De ee a 


fi bey = 
DHCPD.. ig pera 


1¢ Pw LAN address ha bee “t to 192.160.2722 .1 4 


J i [ Se. L a 4 rt cr es 
You can now access the webConfigurator by opening the following URL in your web 


browser: 


ee er ae 

ee) eee ae A i ee a 
8.6.2.15 (DHCP) 

Fi Ler ee 


Interfaces 
terface(s) IP address 


1) Reset webConfiqg“urator password 
i a ee ed 


7 He boot Al ad | | | 
ie eee aa 14) Enable Secure Shell 


Cee eT eee 


Figure 6. LAN ip setup and url for web setup 


MAGAZINE 
Wu 
Wu 


Once you've logged on to the web interface, you will see 
the dashboard. It is a customizable panel for an overview 
of the system where you can add or delete the info plugins 
you prefer. At the top you can see the drop-down bar that 
gives you access to all the functions configuration. 

At System — Packages you can see a lot of additional 
packets to improve pfsense functionalities. 

Personally, | tested and recommend the following: 

Bandwidthd — monitor bandwidth on interfaces and 
store stats. 
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Figure 7. Pfsense Main Dashboard 
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Dansguardian — Anti malware and contents access 


control based on DNS requests, not-free. 


IP-Blocklist — For block entire country ip blocks. 

squid ->Proxy server for caching and auditing. 
Lightsquid->Reports from squid proxy server more pretty. 
Mailreport — It sends to you a report from chosen info 


by email based on a schedule. 


OpenVPN Client Export Utility — To create an automat- 


ed installation package for OpenVpn clients. 
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Figure 9. Snort General Setup 
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Figure 10. Snort Instance on wan interface 
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PfSense + Snort: 


PfBlocker — to block host ranges recovered from inter- 
net black listings of soammers, malware... 

snort — Our main target at this article, the snort IDS. 

To install, simply click at the icon with plus symbol, it will 
download and install the snort package. 

Now you need to register at the snort web site (snort. 
org) in order to get an OINKCODE. This is a code to vali- 
date against the snort users database and download the 
intrusion detection signatures. 

Once registered and confirmed, log in with your account 
on the snort site and goto “My Account”. There you can 
find a folder called Subscriptions and Oinkcodes where 
you can get your oinkcode free. 

Copy it and go to the pfsense web interface. Click on 
Service->Snort and go to “Global Settings”, here you can 
change radio button to install Basic rules from snort and 
paste your code. 

You can also mark the install Emerging Threats option 
to receive more attacks signatures from Emerging Threats 
community, and choose and update period. | use it to get 
daily updates. 

It's also a good practice if you have a small disk to limit 
the growth of logs and data to keep everything working, so 
set the Enable size limits to a cypher that fits your disk size. 

The last important option at this point is the time that a 
supposed attacker is being blocked at the firewall, snort 
can remove hosts from blocked lists periodically, if you 
wish to block them. 

When you finish click on “save” and go to updates for 
signatures download. You only have to press the button 


aye ae cle 





Fast approach 


shown to launch the manual download of the signatures. 
When finished, click “return”. 

Now we must tell the systems where snort will listen. 
lf we go to the snort interfaces folder, we can add an in- 
stance of snort listening on each interface, typically it only 
is being run on WAN / DMZ but for more complex sce- 
narios it can be a good idea to put a probe on different 
layers of the network to see what alerts are being blocked 
on wan and if someone is being alerting too on LAN or in- 
termediate networks if you think of network security layers 
as an onion. 

The important fields are: 


¢« Enable: cheked to enable interface 

e Interface: WAN to select wich one is going to be en- 
abled 

¢ Memory performance: ac-bnfa is enough for starting. 

¢ Block offenders: checked this is the magic, to block 
who raises an alert at snort IDS. 

¢ Kill States: checked To also kill current connections of 
attackers.* 

¢ Which ip to block:src, we want to block typically the 
source. 

¢ Checksum setting: checked to check packet cheksum 


*At the beginning, it is not recommended to block offenders. First of 
all, you must see how it works and which kinds of alerts are raised. 


Once you finish, just save and the interface will reload itself 
showing the interface instance of snort with a play icon. 
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Figure 11. Snort instance on WAN interface 
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Click on the Gl icon to start snort and bamyard2. 
Click on the Eicon to stop snort and barnyard2. 
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The last step is to select which kind of signatures we 
want to check on the interface. If you click on “edit icon” 
for instance, and go to “Categories”. A list of all signatures 
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Figure 12. Snort interface instance rules edit 
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is shown. To start, check all of them. Later if one of them 
gives any problem, you can disable it by unchecking the 
box, or you can even enter the rules folder and disable 
only a signature rule of a category. 

.sometimes it happens that a signature has some kind 
of problem with the snort plugin or gives a problem with a 
company application, this allows you to disable conflict- 
ing rule and allow everything to work at least while an- 
other solution is found. Or perhaps, you want to restrict 
Instant messaging except for XMPP because it is used 
by Cisco Unified communications systems at your com- 
pany. This feature allows you to disable a specific rule 
only at that interface. 

Another important feature is the snort preprocessor op- 
tions to interpret different protocols to detect anomalies. It 
can decode and Normalize a lot of protocols: HTTP, RPC, 
FTP, SMTP, DNS, SSL, portscan detection... 

Also Pfsense by default does something called packed 
scrubbing, which tries to protect some vulnerable sys- 
tems from attacks with fragmented packets, like teardrop 
or others. 

Check whatever you want to use and go to snort inter- 
faces folder, press play and you're all done. 

The last step is to test all the environments. In the alerts 
folder, you can see alerts generated by Snort. You must 
correlate alerts with your environment and define what is 
a real alert and what is not, perhaps some of your apps 
have a bug and send some kind of request that raises a 
false positive from a trusted location, or you must ignore 
or suppress alerts from Internal instant messaging, you 
must test and follow alerts for some time to define a base 
line of normal working traffic. Once you have done this, 
your IDS can be activated in in-line mode (blocking IDS 
offenders), more securely for production continuity. But 
dont think this is a person doing their job, this is a pro- 
gram and needs supervision to keep on track but helps 
a lot protecting holes while you find something better to 
cover them. 

| encourage all of you to test this marvelous software 
and experiment with packets and plugins. There is an in- 
credible amount of features to use at the cheapest price. 
You even have paid support if you need it. 

| have no relation with the authors of the software and 
they are the artists of this opera. The applause is for them, 
long live pfsense. 


SALIH KHAN 


11/2013 


Great Specials 


On FreeBSD®° & PC-BSD® Merchandise 


229.95 


PC-BSD 9.1 DVD 


239.95 


FreeBSD 9.1 Jewel Case CD Set 
or FreeBSD 9.1 DVD 


Styli Dress Attive 


The PC-BSD 9.0 Users Handbook 





Give us a call & ask about our 
COFTWARE BUNDLES 


1.925.240.6652 


299.95 


The FreeBSD CD or DVD Bundle 


249.9 





PC-BSD 9.1 DVD 


Inside each CD/DVD Bundle, you'll find: 
Frees Handbook, 3rd Edition 
Liners Guide FreeBSD Handbook, Jed Exition, Achnin Gusiche 
FreeBSD 9.1 CD-or DVD) set 
Frees Toolkit DVO 


ae Look Your Professional Best ~ 





"os. ae 
Apparel 


Stay Warm in Zip Ups & Pullovers 


FreeBSD 9.1 Jewel Case CD/DVD.............. 


CD Set Contains: 


Disc 1 Installation Boot LiveCD (i386) 
Disc 2 Essential Packages Xorg (i386) 
Disc 3 Essential Packages, GNOME2 (i386) 
Disc 4 Essential Packages (i386) 


PP he ian 
Fr@@BSD 9.0 DVD ..............cccccccccccsecececcecceccecceccecceceeceeceeceecescesceereeeneeee 9 39.95 


Gita 


FreeBSD Subscriptions 
Save time and $$$ by subscribing to regular updates of FreeBSD 


FreeBSD Subscription, start With CD 9.1 we cecscscsssseeseesresneen 929.95 
FreeBSD Subscription, start with DVD 9.1...........sscsssssssscsneesrene 929.95 
FreeBSD Subscription, start With CD 9.0......csssssscsessssesssneseerees 929.99 
FreeBSD Subscription, start With DVD 9,0......scssscsessnesssnenesrene 929.95 


PC-BSD 9.1 DVD (Isotope Edition) 


PE-BSD SU DSEh UGH sicikiccccmmnrnnnnwonmannnnns ee 19,95 


Just Pla Few 
Mousepads & Nowelty Hons 


fe™ 














aK 
Prrecsse 
| 
s 
T-Shirts 
Lots of Styles to Choose From 

The FreeBSD Handbook 
The FreeBSD Handbook, Volume 1 (User Guide) .............000 $39.95 
The FreeBSD Handbook, Volume 2 (Admin Guide)................ $39.95 


The FreeBSD Handbook Specials 


The FreeBSD Handbook, Volume 2 (Both Volumes)...............559.95 
The FreeBSD Handbook, Both Volumes & FreeBSD 9.1 ........ $79.95 


PC-BSD 9.0 Users Handbook 000. $24.95 


BSD Ma arZirne nc cecccsesssssseesecsescessnnssesnssececcessessnsesesssssenseee 911,99 
The FreeBSD Toolkit DVD 0... cessssssssssssessssensess 939.95 
Fre@BSD Mousepad 0.0.0... csosesssssssssssssesssesssssssssesessessesee 910.00 
FreeBSD & PCBSD Cap unc ceccssssssssssssssssssessesssesees 920.00 


BSD Daemon Horn s SSSR RASSRSSRESEEE REESE EEE EEE EEE EEE EES EEE EEE EEE EEE EEE EEE $2.00 





PANORAMIC 
PHOTOGRAPHY 
eee 


| 
For even MORE items 
visit our website today! 


www.FreeBSDMall.com 





BSP Magazine 


Available Meanthhy 


SECURITY 


How Secure can Secure 
Shell (SSH) Be? 








(BASIC CONFIGURATION of OpenSSH) 


Secure Shell is one of the protocols that IT specialists use to 
ensure a secure and reliable connection between remote 
computer systems. This short guide explains a few things to 
make your SSH connection more secure. 


What you will learn.. 
How to configure oacncel 

- A few configuration options that may make your remote 
connections more secure, based on the OpenSSH. 

¢ Good base to make up something new and secure on your own. 


cally if you did not remove the check from the sshd 
box during installation. 
OpenBSD (immediately): 


- or FreeBSD and OpenBSD, SSH starts automati- 


# /etc/rc.d/sshd start 
OpenBSD (permanently): 


# vi /etc/rce.conf.local 





References (order of relevance) 


man sshd_config 

man sshd 

www.openssh.org 

www.openbsd.org; www.freebsd.org 

www.rfc-editor.org and search for “SSH” phrase (for ad- 
vanced users — programmers) 


Note (only in code explanations): 


Italics word means option. 
Code word/numbers means value of that option. 
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What you should know... 

¢ Unix/Linux commands and SHELL environments. 
« The basics of TCP/IP. 

- Understanding the need for security. 


Create the line used when starting sshd_flags and leave 
It empty like this sshd _ or you can specify your 
own path to the configuration file, so the line should look 
like sshd_ flags="-f /MY _ PATH/my _ 

Changes will take effect after restarting the system, or 
you can use the command line to do it immediately. 


flags="" 
config filename”. 
# /etc/rce.d/sshd start 

or restart when sshd is running. 

# /etc/rc.d/sshd restart 

FreeBSD (immediately): 

# /etc/rc.d/sshd start 

or 

# service sshd start 

FreeBSD (permanently): 


¢ Va. 7ete/ rc.cont 
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Create the line started at sshd_enable="YES”. 
You can specify your own path to the configuration file. 
Edit the following file. 


# vi /fetc/rc.d/sshd 


Find the line started at command="/usr/sbin/${name}” and 
change it as following. 


command="/usr/sbin/${name} -f£ /MY PATH/my config filename ~ 


Changes will take effect after restarting the system, or 
you can use the command line to do it immediately. 


# vi fetc/rce.d/sshd restart 


Note 
Do not specify your own configuration file when you run 
for the first time. 


sshd configuration file explanation 
The configuration file in this example was tested and op- 
erated correctly for FreeBSD 9.1 and OpenBSD 5.3. 


Warning 
AuthenticationMethods publickey, password publickey, 
keyboard-interactive does not work at FreeBSD (may- 
be in the next releases) and the value of the option 
UsePrivilegeSeparation sandbox works in OpenBSD. As 
for the rest UsePrivilegeSeparation, Y€Ss, it works. 

Every time you change your configuration, you can 
check its validity by using the test mode, or extended test 
mode, as shown below respectively: 


# sshd -t 
# sshd -T 


If you are not familiar with sshd, please use the following 
command to restart the process, or read the text from 
beginning. After installation of your *~BSD system, sshd 
should be installed and run at start up by default. 


# /etc/rc.d/sshd restart 


You can experiment with the SSH options and val- 
ues (iN sshd config) and you will not lose your cur- 
rent SSH connection(s) because the new sshd process 
serves only new connections. But if you close the cur- 
rent connection(s) and then you try to reach the serv- 
er the new sshd process with the new configuration will 
be used. 
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How Secure can Secure Shell (SSH) Be 


Let’s look at the sshd (ssh daemon) configuration file, bit 
by bit, from beginning to end. The file is always located at 
/etc/ssh/sshd_ config, but it can be changed (moved or a 
new one created) if you wish (see PART 1). 


Note 
The commented lines are not listed if they are not neces- 
sary, so not all of your options have been displayed which 
you will see in your file. 

sshd_config 1* part listing: 


Port 4444 

AddressFamily inet 
ListenAddress 192.168.0.1 
#ListenAddress :: 


Port and then decimal number of the port, where sshd 
listens and waits for new connections (IP address + port 
number = socket). Standard port is 22, so It is is recom- 
mended to change it for your own security, and select a 
range <1024-65535>. It reduces up to 90% of the sniffers 
that are searching for port 22 and then trying to log in us- 
ing a dictionary attack, or brute force. Thus, it decreas- 
es the load on your server and reduces probability of ac- 
cess to your system. 

AddressFamily and then inet for IPv4, inete for IPv6 
and any for both. If you do not use IP version 6, It is good 
practice to disable it, so only use inet. Please remember: 
if you do not need something, just do not use it and dis- 
able it. 

ListenAddress and then an IPv4 decimal four octets 
IP address, such as 192.168.0.1, where sshd listens 
and waits for new connections. Please do not use a 
locahost IP address (127.0.0.1), because you will nev- 
er connect to your server from the outside (better se- 
curity, but weaker functionality). Try to not use external 
(Internet) IP addresses due to attacks from the Internet 
network. Nevertheless, if you have to use an Internet IP 
address, later you will learn how to increase the secu- 
rity of your SSH. 

#ListenAddress indicates that we do not want to use 
IPv6 (line commented) and do not want to assign IPv6 
to ::. 

sshd_config 2" part listing: 


Protocol. 2 

# Lifetime and size of ephemeral version 1 server key 
#KeyRegenerationInterval lh 

#ServerKeyBits 1024 

SyslogFacility AUTH 

LogLevel DEBUG3 
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Protocol and then the number 1 or 2. The second one 
is newer, so use it and comment all lines indicated for ‘1 
(look at the three commented rows above for example). 
This option selects the protocol version of SSH, and ver- 
sion 2 is more secure and has more features. 

SyslogFacility and then autH, DAEMON, USER or others (see 
man page). It is for logging details. autx is sufficient for the 
security reason. The log file is /var/1log/auth.1og (absolute 
path). After logging in to your SSH, please list that file. You 
will learn more about the SSH connection and the security. 
It is is recommended to copy your log file to analyze it later 
in case of break in or other factors associated with sshd. 

LogLevel and then depth of debugging level indicated 
by INFO, ERROR, DEBUG3 (more at man page). DEBUG3 Is the 
most detailed logging level, so it is recommended for use 
for security analyzing or to make sure the process is work- 
ing properly. 

sshd_config 3” part listing: 


AllowUsers xyz007 backup John 
AllowGroups wheel 
LoginGraceTime 15 
PermitRootLogin no 
StrictModes yes 

MaxAuthTries 3 


MaxSessions 3 


AllowUsers and then list of users separated with a space 
(almost always local users) xyz007, backup, John, OF root 
(not recommended). The option gives the possibility to 
restrict connections to particular users. Try to use a non- 
standard user, different than admin, administrator, sq], 
etc., to hinder attackers. Note: xyz007, backup and John 
are not default users after an installation, so you have to 
create the new ones and add them to the group wheel. 

AllowGroups and then list of groups to have an access 
into the SSH connection. Listing is the same as for us- 
ers. Note: if the user is not listed in the AllowUsers op- 
tion, but their group is listed in AllowGroups the user will 
not have the appropriate privileges to gain access into the 
SSH connection. Group wheel is the standard group for 
non-standard users, so if you even comment the Allow- 
Groups user must be in the wheel group (just edit the file 
/etc/group and add the user to wheel group). 

LoginGrace Time and then the number of seconds (i.e., 
15) to successful log in. If you exceed the limit of seconds, 
the server drops your connection to inactive and you have 
to start to log in again. Note: 6o is equivalent to 60s, as 
well as 1m. 

PermitRootLogin and then one of the values no, yes, or 
others (see man page). The name of PermitRootLogin 
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explains everything. Note: If the line is commented, that 
means that root log in is not allowed (recommended) to 
connect to SSH. 

StrictModes and then one of the values no or yes. It is 
is recommended to set the value to yes, because sshd 
process checks the home directory and other user files 
permissions. 

MaxAuthTries and then the number of tries to connect 
into the SSH connection. It is is recommended to set the 
value to less than 10, (i.e., 3). If an attacker tries to guess 
the password, or passphrase, then after 3 times of unsuc- 
cessful login attempts their connection is dropped. 

MaxSessions and then the number (i.e., 3) of simultane- 
ous connections independent of users. SO xyz007, backup 
and Jonn all logged in at the same time would prevent oth- 
ers from logging in. For strict security reasons you can set 
the value to 1. Log in and keep the SSH connection as long 
as your network stability allows you to stay logged in (desk- 
top locking, terminal locking and prevent others attack on 
your client). 

sshd_config 4" part listing (keys generation and usage 
is explained at PART 2): 


AuthenticationMethods publickey, password 
publickey, keyboard-interactive 
RSAAuthentication yes 
PubkeyAuthentication yes 
AuthorizedKeysFile .ssh/authorized keys 


AuthenticationMethods and then list of authentication 
methods (1.e., publickey, password publickey, keyboard- 
interactive). It means that authentication will start step- 
by-step via publickey, after successful authentication via 
publickey it goes tO password publickey and then at the 
end is keyboard-interactive (user’s password). You can 
use one of them, two or three in correct order (publickey 
before password publickey and keyboard-interactive), 
but publickey and password publickey are concatenated, 
so you have to use them together in that order. 

RSAAuthentication and then one of the values no OF yes. 
It is required to set yes when you set one of the authentica- 
tion methods on public key and two below options as well. 

PubkeyAuthentication and then one of the values no or 
yes. It is required to set yes if you want to use public/pri- 
vate key authentication. 

AuthorizedKeysFile and then path to public key (i.e., 
.ssh/authorized_ keys). Be informed that the path is not 
absolute but is relative and the root is user’s home di- 
rectory. Note: set the file permissions on 400 or u=r,g=- 
rwx,a=-rwx using command chmod, regardless public 
keys can be known for everyone. 
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Note: these four above options are the main pack of the 
security planks to keep safe your SSH connections safe. 
sshd_config 5" part listing: 


PasswordAuthentication yes 


PermitEmptyPasswords no 


PasswordAuthentication and then one of the values no or 
yes. It is required to set the value to yes due to using a 
user’s password authentication method. Without yes, the 
SSH connection will be unsuccessful and then dropped. 
PermitEmptyPasswords and then no or yes. For security 
reasons it is recommended to set the value to no. Note: no 
user from wheel group and other standard groups (your 
groups) should not have account without password. There 
are many non-standard (application) users without pass- 
word, but shell/terminal logging in is denied or should be 
denied to them. 
sshd_config 5" part listing: 
#X11Forwarding no 
#X11DisplayOffset 10 
#X11UseLocalhost yes 


In short: X11 should never be used in Unix, Unix-like, Linux 

systems until system is destined as a server. It decreases 

the system load and improves security. Professional and ex- 

perienced OS terminal user is faster than OS window user. 
sshd_config 6" part listing: 


PrintMotd yes 
PrintLastLog yes 


PrintMotd and then one of the values no or yes. Option 
outputs the text from the file /etc/mota (absolute path). 
It is useful to inform unprivileged user about restrictions 
and other information before trying to log in. Try to de- 
vise your own text info. 

PrintLastLog and then one of the values no or yes. It is 
recommended to set the value to yes to see your own log- 
in information and client IP address then to verify it was 
what was expected. 

sshd_config 7" part listing: 


How Secure can Secure Shell (SSH) Be 


UsePrivilegeSeparation sandbox 


PermitUserEnvironment no 


UsePrivilegeSeparation and then three values to set no, 
yes OF sandbox. It Is recommended to use sandbox OF yes. 
Both values separate process and the sandbox does a 
jail environment. It is more secure to prevent escalation 
privilege due to code corruption, attack other host or ker- 
nel attack surface etc. Example process listing below 
(Listing 1) with comments started at //. 

PermitUserEnvironment and then one of the values no 
or yes. It is recommended to set the value to no to prevent 
bypass access restrictions (see man page). 

sshd_config 8" part listing: 


ClientAlivelInterval 60 
ClientAliveCountMax 10 


ClientAlivelnterval and then value of seconds (i.e., 60) 
in conjunction with ClientAliveCountMax use encrypted 
channel to drop the SSH connection due to an inactive 
user through 60*10=600 seconds. It is good to use it, but 
MaxSession and keeping a session by one user will not 
work. ClientAliveCountMax and then value of multiple 
ClientAlivelnterval (i.e., 10). 

sshd_config 9" part listing: 


MaxsStartups. 5215230 
Banner /etc/ssh/motd 


MaxStartups and then numbers X:Y:Z (i.e., 5:15:30) 
which mean randomly dropping the unauthenticated 
concurrent connections: 5 — the maximum of concurrent 
unauthenticated connections made example by attack- 
er (alone value or with other as begin, see man page); 
15 — base for ratio of probability (15/100)*100%=15%; 30 
— the maximum of concurrent unauthenticated connec- 
tions. Note: It is not the same as MaxSessions. MaxSes- 
sion works after authentication and MaxStartups works 
before authentication. It is good to set it for more than 
MaxSessions due to zombie processes that could take 
the socket for new connections. 





Listing 1. ps qux command section 
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Listing 2. SSH successful connection screen shot 


Using username “John”. 


Access Restricted Equipment 
All Activities are Monitored and Logged 
Unauthorized Use Prohibited 


By Accessing, You Are Agree Your Activities to be Monitored and Logged 


Authenticating with public key “imported-openssh-key” 
Passphrase for key “imported-openssh-key”: 

Further authentication required 
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How Secure can Secure Shell (SSH) Be 














Banner and then the absolute path to the text file (i.e., 
/etc/ssh/motd). Functionality the same that PrintMod has. 

Please look at the screen shot (Listing 2) of the suc- 
cessful SSH connection. First the banner is PrintMotd and 
the second one, big is Banner (generated by banner ap- 
plication). There is an AuthenticationMethods order start- 
ing from “Authentication with public key with passphrase 
for that key” and then “user’s password authentication’. 
You can find logging in details at the /var/log/auth.1log or 
at another file you set. You can see the last login details 
and system details as well. If you do not want to see/show 
the system info, just delete the line from /etc/mota file or 
change it to something else, (i.e., fake OS). You see MA- 
TRIX and Unlock key text also. This application is my own 
and you can try it by downloading from www.iptrace.pl 
(go to Download and click on Locker). Application is free 
of charge and based on the BSD License. Any sugges- 
tions and errors about the Locker please send via e-mail 
locker@iptrace.pl. 


Keys generation and usage 

We have to generate both private and public key pairs. 
Next, we have to set up our OpenSSH server and then 
client to use it. 

The server side stores the public key because from the 
server side it is a “public” machine. Public means, oth- 
er administrators (especially roots) have access to your 
home directory and is not advisable to keep the private 
key there. You are the owner of this key, so you have to 
keep it safe like the key to your house. 

Let’s start to generate the key pair with 4096 bits of 
RSA. It is better to generate the key pair logged in as the 
owner of the keys, because the default keys location will 
be proper and the owner of the files will appropriate. 
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# ssh-keygen -b 4096 


The output should look like Listing 3. Note: You can de- 
fine the passphrase to improve the security. It is referred 
to password publickey in the AuthenticationMethods op- 
tion. Setting the passphrase is not strictly required, but it 





Listing 3. ssh-keygen command output 
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is a good security approach. Sometimes the passphrase 
is omitted when users login via other SSH clients, es- 
pecially Unix/Linux systems, just for one command to 
speed up these procedures. 

So we have two keys in the .ssh directory placed in us- 
er’s home directory. The public key is named id_rsa.pub 
and the private key is named id_rsa. Rename the pub- 
lic key to authorized_keys (referred to AuthorizedKeysFile 
option) and change the permissions to 400. Changes on 
the server side have been completed. 

Let’s look closer at the client side configuration. At first, 
we have to copy data from the private key file to the stan- 
dard, text file. The file data is shown in Listing 4, you will 
have more data for the same 4096 bits, but | have trun- 
cated it to look better. 

The next step is to select the data and copy to the file 
placed in the client side, example named ssh_key.txt. 
Note: the client side in this instance is based on MS Win- 
dows, WinSCP and Putty. 

Now we have to regenerate our private key for Putty 
recognition. For this case we use one of the WinSCP ap- 


Listing 4. Listing private key data 
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File Key Conversions Help 


, Key 

| Public key for pasting into OpenSSH authorized_keys file: 

| psntsa «| 

| 3NzaC lyc2EAASADAGABAAACAQDACOYMEOCGJoBUDbKIAUPvis3NCYu | 
+4bb4/bO/x5VizX5ABhPG4am 

+3hENuzd 1006e Y6TASp loduSMcrBOTv3iF/Lo 1gl 1 1EmoRuHGbRLRSZEmJTVpAPs 

| |7>5helXTziSwiVBaSNRDRmSAxkKxX Fa 

















| Key fingerprint: ssh+sa 4096 97:15:39 -a7-57:a5:04:20-59-69:1274-Se-aa-7e-16 

Key comment: imported-openssh-key 
| Key passphrase: lewwwpee 
| Confirm passphrase: coo 
Actions 
| Generate a public/private key pair Generate | 
| Load an existing private key file Load | 
| Save the generated key Save public key | Save private key 
- Parameters 

Type of key to generate: 

f §SH-1 (RSA) f SSH-2 RSA ( SSH-2 DSA 

Number of bits in a generated key: [2048 


Figure 1. Generating private key for Putty recognition 
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ps. It names PuTTYgen. So, run the application and click 
on the Load, to load your private key. During loading the 
file, the application asks for a passphrase. When com- 
plete (Figure 1), you will see the following window. Click 
Save for the private key using a ppk extension. 

At the end of our tour, we have to configure Putty to use 
our new private key. Run Putty and then go to category 
Connection->SSH>Auth then you will see the field Private 
key file authentication, click Browse and get your new pri- 
vate key file. Insert your server IP address and other fea- 
tures and save your session for future use. 


Conclusions 
Look at man pages of sshd and sshd_ config to learn more 
about other interesting options for SSH connections. 

SSH is a great and a rich protocol and can be used not 
only for SSH connections (terminal connections), but for 
files transfer, known as an SFTP, or for VPNs tunneling. 
The OpenSSH configuration works great for SFTP con- 
nections using mentioned WinSCP application. WinSCP 
is easy and similar to Putty configuration. 

You shall find or devise a lot of authentication methods, 
but one that is interesting, is known as one time password 
OTP. You can find more information about it by searching 
the Internet. Try to use it in conjunction with e-mail, SMS 
or token. Good Luck! 

In the next series you will find out about: 


OTP — one time password to beef SSH connections up. 

VPN tunnelling — creating Virtual Private Networks using 
OpenSSH 

SFTP — known as SSH File Transfer Protocol to opposite 
of a standard FTP 
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The BSD Certification Group Inc. 
(BSDCG) is a non-profit organization 
committed to creating and 
maintaining a global certification 
standard for system administration 
on BSD based operating systems. 





@ WHAT CERTIFICATIONS ARE AVAILABLE? 


BSDA: Entry-level certification suited for candidates 
with a general Unix background and at least six months of 
experience with BSD systems. 


BSDP: Advanced certification for senior system administrators 
with at least three years of experience on BSD systems. 
Successful BSDP candidates are able to demonstrate 

strong to expert skills in BSD Unix system administration. 


@ WHERE CAN | GET CERTIFIED? 


We're pleased to announce that after 7 months of 
negotiations and the work required to make the exam 
available in a computer based format, that the BSDA 
exam is now available at several hundred testing centers 
around the world. Paper based BSDA exams cost $75 USD. 
Computer based BSDA exams cost $150 USD. The price of 
the BSDP exams are yet to be determined. 


Payments are made through our registration website: 
https://register.6sdcertification.org//register/payment 


@ WHERE CAN | GET MORE INFORMATION? 


More information and links to our mailing lists, LinkedIn 
groups, and Facebook group are available at our website: 
http://www.bsdcertification.org 


Registration for upcoming exam events is available at our 
registration website: 
https://register.bsdcertification.org//register/get-a-bsdcg-id 
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With the Recent Revelation That the United 
States Spied on Angela Merkel and the 
Subsequent Outrage From Politicians — ts this 
a Case of the “Lady Doth Protest Too Much”? 


Here in the United Kingdom, we are well ahead of the game that 
the USA, the German leader, Angela Merkel, and the media is 
currently playing the game of faux outrage and hurt feelings over 
the surveillance of telephone conversations by the USA of 33 world 
leaders. After all, the scandal which has been simmering away for 
the past few years concerning the hacking of phone messages by 
News International culminating with the Leveson enquiry (and 
the subsequent recommendations that press freedom be legally 
curtailed) is not latest news. While quite rightly there was outrage 
that the media used such underhand tactics against the general 
public, politicians, celebrities and even the Royal Family, the other 
side of the argument has had scant coverage - that we live ina 
very different society from Victorian times. 


ou might be shocked at my blatant anchoring of 
VY loss of privacy values prior to the publication of 

George Orwell’s masterpiece 1984 in the post 
war years, but please bear with me. Casting aside the 
fact that Government, Kings and the Church have used 
spies throughout history, the Victorian age was the last 
epoch where the average man, woman or child could 
be guaranteed a relatively strong sense of privacy. That 
is why | must take Angela Merkel’s “outrage” with a 
pinch of salt the size of a Siberian salt mine. Any politi- 
cian who is unaware of the historical precedent of dirty 
dealings between warring states (or indeed allies) is ei- 
ther naive, uneducated or deceived, and even more so 
in the case of Angela Merkel who must be aware of the 
worst abuses of government power that took place over 
the border in East Germany by the Stasi during the Cold 
War. If | was to be generous, I'd say the outrage is driv- 
en by that historical fact but that leaves the unpleasant 
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taste of hypocrisy in 

the mouth in that it 

is totally inconceiv- 

able that Germa- 

ny does not spy on 
others. So I'm afraid 

it all boils down to the 
fact that technology has 
been the facilitator of a 
widespread erosion of pri- 
vacy, and irre- spective 











Lady Doth Protest Too Much 


of political hue or ideal, any power will use that lever to 
their advantage where at all possible. 

Let's get back to the Victorians. To send a letter (or to 
communicate) the letter was sealed, delivered and the re- 
cipient would break the seal and read the communication. 
Like the well proven process used by the Roman Gen- 
eral, the unbroken seal on the scroll was the guarantee 
of authenticity, unless of course the senders credentials 
had been compromised. Forgery will always be the weak 
link in the chain, proving the identity of an individual with 
100% accuracy always elusive, as the immoral can al- 
ways get round this provided they have enough resource. 
The question “Who am |” extends past philosophical de- 
bate into real life wherever the identity of a person re- 
quires confirmation. So we can assume that privacy was 
reasonably well guaranteed unless there was sufficient 
reason to commit the offence of intercepting the Queens 
Mail, an offence that carried the death penalty. 

From the 1900’s up until the Second World War, the 
widespread adoption of the telegraph, telephone and ra- 
dio communications muddied the field and this is where 
the root of the issue lies. The more people that are in- 
volved with the transmission of your message, the more 
open the transport medium used, the greater the cover- 
age and penetration, the greater the chance your mes- 
sage is no longer private. Then came the Second World 
War. The necessity for documenting citizens became par- 
amount in the interests of national security, and in the UK 
the adoption of the National Health Service and welfare 
state allowed a huge paper bank to develop of the char- 
acteristics of the general population. While crude, this da- 
tabase is the basis of the current conundrum — who can 
we trust to be the guardians of confidential data? Much 
has been made about NSA intercepts in that they are only 
interested in the meta-data — who is communicating with 
whom -— rather than the message itself. On the face of it, 
that is a powerful rebuttal, but let’s not forget in the age 
of the Strowger switch (used in telephone exchanges) 

it relatively easy to calculate who is connected to who. 
While invented in the late 1800’s, the first trial was 
not carried out in the UK until 1914. So the potential 
for capturing meta-data has been around at least 

since the early 1900's. What is revealing though 
is the notion of using the meta-data argument 
to support Internet snooping as it is historically 
part of both the spy’s and detective’s trade-craft. 
In reality, the con- cept of privacy died along with horse 
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and cart. Whether it be multi-nationals gathering market- 
ing information, software manufacturers knowing your 
physical location or government reading your email, there 
are too many areas to cover. Sadly, by the time Orwell’s 
book was published, the cracks had already started in the 
edifice of personal privacy, and while the Zeitgeist has 
been looking at the physical manifestations society wide, 
those that have the means, ability and reason to monitor 
have been increasing their power base under the radar 
(and | am being generous here) since the Second World 
War. What is truly telling though is the penalty for inter- 
cepting communications. In the Victorian age, the penalty 
was death. Today, a hefty fine and maybe a prison sen- 
tence will be your fate, despite the much greater oppor- 
tunity for abuse. So | totally agree with the editor of the 
British satirical magazine Private Eye, lan Hislop, that we 
have enough legislation as it is to combat any excesses 
of power, but the fact remains that there is one law for 
“them” and one law for “us”. Angela Merkel has managed 
to capture the ear of the US President, and | suspect while 
an apology will be made and steps taken by the German 
government to improve domestic security, this is no com- 
fort for the man in the street. The only comfort | can see is 
that while the USA has probably the most advanced spy- 
ing infrastructure in the world today, at least this is offset 
to a small degree by a Freedom of Information culture that 
has teeth, and a legal system that is not afraid to sue even 
government. Other countries are not so fortunate. Angela 
Merkel as a world leader has an intelligence service and 
a legislature at her beck and call. No doubt there will be 
some major changes to European legislation on the back 
of this revelation. But this is all smoke and mirrors. Unless 
people truly appreciate we no longer live in the age of pri- 
vacy, and the full weight of the law executed without bias 
to protect individuals, corporates and governments from 
abusive governments, corporates and individuals, we are 
all going to remain vulnerable, paranoid and an easy tar- 
get. The concept of “who watches the watchers” has nev- 
er been more apt. 
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Maximising Website 
Runtime on Host Servers 





Running FreeBSD 


We've all seen the damage caused by web traffic spikes. 
During this year’s Super Bowl, the websites of 13 companies 
that advertised during the match went down within five 
minutes of the advert airing. With advertising slots being 


sold for up to $5,840,000 (£3.6m, €4. 


3), and run to drive 


traffic, that’s one (well, 13) costly website failure. 


nother very high profile crash came just last 
Ave when the US's new healthcare insurance 

programme, Obamacare, launched. The excep- 
tional traffic and various bottlenecks took the website out 
almost instantly. 

Over 2 per cent of the world’s websites run on BSD 
(roughly 14 million websites). And a quick Google and fo- 
rum search highlights that OpenBSD users are not im- 
mune to this problem. Therefore traffic spikes need to be 
part of any business continuity plan when working with 
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BSD or any other Unix variant. But it’s not only website 
traffic spikes, as we move to cloud services we add extra 
dimensions to business continuity planning and we have 
to look at disaster striking when a major cable is cut—ora 
myriad of other major system failures. 


Business continuity planning 

There are two key metrics used by industry to evaluate 
available disaster recovery (DR) solutions. These are 
called recovery point objective (RPO) and recovery time 
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Figure 1. Coca Cola’s traffic spike following it’s Superbowl Commercial - credit Yotta.net 
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objective (RTO). A typical response to DR is to have a pri- 
mary site and a DR site, where data is replicated from the 
primary to the DR site at a certain interval. 

RPO is the amount of data lost in a disaster (Such as 
the failure of a server or data center). This depends on 
the backup or replication frequency, since the worst-case 
is that the disaster occurs just before the next scheduled 
replication occurs. 

RTO defines the amount of time it takes an organization 
to react to a disaster (whether automatically or manually; 
typically there will be at least some manual element such 
as changing IP addresses), performing the reconfigura- 
tion necessary to recreate the primary site at the DR site. 
For example if there is a fire at the primary site you would 
need to order new hardware and re-provision your servers 
from backups. For most web hosting companies retaining 
an exact replica of every server at the primary site at the 
DR site is not economically viable. 


Scaling Websites When There Are Spikes In 
Traffic 

The traditional model 

In the common shared hosting model, a web hosting com- 
pany will install a lot of websites on a single server with- 
out any high availability (HA) or redundancy, and set up a 
nightly backup via rsync. 

In this model when a website gets very popular, the serv- 
er which is hosting it is also busy serving requests for a lot 
of other websites and becomes over-loaded. Typical con- 
sequences of this are that the server will start to respond 
very slowly as the required number of I/O operations per 


support FreeBSD 
second exceeds the capacity of the server. The server will yy ON inter re 
soon run out of memory as the web requests stack up, 


tart ing to disk, and “thrash itself to death”. This Aue) 2 Be, 
oii erione a ost sar offing. ) C Nf Ce 
The CloudLinux model Found ation 


An alternative is the CloudLinux model, which contains 
the spike of traffic by imposing OS-level restrictions on 
the site experiencing heavy traffic. This is an improvement 
because the other sites on the server stay online. 
However the disadvantage to this approach is that the R 
website which is gaining the traffic is necessarily slowed xs) 
down or stopped completely. If the server were to try to nes 
fully service all incoming requests for that site, it would oa \ 
crash, as above. > 
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cluster. This eradicates downtime on any of the cluster’s 
sites, and therefore allows a host to enable full and auto- 
matic scalability. 

Using this method it’s possible to deliver three (or even 
four) orders of magnitude greater scalability than shared 
hosting solutions — assuming just 500 websites per serv- 
er, you can burst to 2 dedicated servers or 1,000x scal- 
ability — allowing websites to scale by intelligently and 
transparently migrating them between hosts. 

This is the method used for HybridCluster’s Site Juggler 
Live Migration. 


Keeping you online in a disaster 
When building distributed (cloud) systems we're faced 
with three tradeoffs: 


¢ Consistency — if a system is consistent, then queries 
to different nodes for the same data will always result 
in the same answer 

¢ Availability — the system always responds to requests 
with a valid response 

¢ Partition tolerance — if the parts of a distributed sys- 
tem become disconnected from each other they can 
continue to operate 


In reality you can select two and these should be avail- 
ability and partition tolerance over consistency. Doing 
this allows the website to stay online in a disaster sce- 
nario, for example if an under-sea cable gets cut, and 
the European and US components of a cluster can no 
longer communicate with each other. 

lf we look at a typical web request, for example a user 
uploading a photo to a WordPress blog, we can see con- 
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About HybridCluster 


HybridCluster has triggered a rethink about cloud and host- 
ing industry’s dependency on high cost, legacy virtualisation 
and storage stacks that fail to fully protect both businesses 
and end users. Computer scientists and industry experts have 
combined at HybridCluster to deliver breakthrough storage 
and hosting platform technology that automatically detects 
and recovers data centre outages in less than one minute, de- 
livers 4x better density of customers per server, and offers end 
user to self-recover lost files and data. (www.HybridCluster. 
com / @HybridCluster) 
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tent is backed up on multiple continents to prevent loss in 
a disaster (natural or man made). 

But once disaster strikes it is essential to then elect new 
masters for all the sites on both sides of the partition in or- 
der to keep the websites online on both sides of the Atlan- 
tic; something we worked into the HybridCluster protocols. 

Using this approach, when traffic is re-routed or the 
under-sea cable is repaired, the cluster can also rejoin 
and the masters negotiate which version of the website is 
more valuable based on how many changes have been 
made on both sides of the partition. This Keeps your web- 
sites online all the time, everywhere in the world. 


Summary 

Regardless of whether you're running a huge multination- 
al organization or an open source software site, downtime 
is costly. 

New techniques need to be applied to both cope with 
increased demands and, as we shift to cloud computing, 
factor in disaster. Intelligent handling of data to move sites 
between clusters and through the automatic assigning of 
parent clusters after a partition is formed... and merge 
them again once it is fixed. By using an integrated suite of 
storage, replication and clustering technologies — such as 
HybridCluster — it’s possible to shift to a true cloud com- 
puting model and enable intelligent auto-scaling, as well 
as integrated backup and recovery. 


LUKE MARSDEN 
CEO HybridCluster 
www.hybridcluster.com 
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Another year, another PGDay.IT! 
The seventh edition of the main 
Italian conference fully dedicated 
to PostgreSQL, the world’s most 
advanced Open Source database, 
is over and ITPUG, the Italian 


PostgreSQL User’s Group, did a really 


great job in organizing this event. 


ian and international PostgreSQL communities. 

Thanks to the excellent work of ITPUG, the event 
has kept growing year after year and is today the main 
Italian conference fully dedicated to PostgreSQL. 

But PGDay.IT is not just a conference, it is a party — the 
party of the PostgreSQL community and a party about Open 
Source. And as it was for the previous editions, the party 
started with a good dinner based on the famous Fiorentina 
steak, where attendees can meet and relax together. 


DD GDay.IT is a well Known event in both the Ital- 


The Conference 
PGDay.IT took place on October the 25th in Prato, Tus- 
cany, in the great Vaj Palace of the Monash University. 


PGDay.IT 2013 





The conference schedule was very rich, including 9 differ- 
ent speakers and 13 regular talks in two parallel sessions. 
Due to the high number of attendees and the need to reg- 
ister all of them, the conference started with a little delay 
that organizers were later able to make up, ensuring the 
conference schedule was not compromised. 

The keynote talk was given by Mr. Bruce Momjian, a 
PostgreSQL Core Member and very active developer. 
The talk was very interesting and enlightening about the 
Open Source world and the PostgreSQL community. Af- 
ter a short coffee break, it was time for the technical part 
of the conference to begin. The Sala Veneziana was fo- 
cused on the development aspects tied to PostgreSQL, 
for instance, the usage of the GIS extension, the JSON 





lu 
Zz 
N 
< 
Gg 
< 
= 


a 


11/2013 


formats, the unit testing of SQL pieces of code, and so on. 
The Salone Grollo was focused on the administration of a 
database cluster and on the new features of PostgreSQL, 
like for instance updatable views, foreign data wrappers, 
etc. There was also space for a few short talks about the 
widespread use of PostgreSQL in different projects, from 
education to health-care contexts. 

Unlike previous editions of the conference, the whole 
day was not comprised of two parallel sessions full of reg- 
ular talks. In the afternoon, a session continued with regu- 
lar talks while the other was dedicated to the first ITPUG 
Lab, an interactive session discussed in more detail later. 

At the end of the day, all attendees participated in the 
Lightning Talks plenary session. The rules for this session 
were quite simple: 


¢ everyone can do a speech; 

* a speech can be on whatever subject (but possibly 
related to PostgreSQL); 

¢ each speech can be no more than 5 minutes. 


The Lightning Talk session is a well established tradition 
in PostgreSQL related events, and PGDay.IT has had 
one at pretty much all editions of the conference. The 
aim of this session is to make attendees feel like part of 
the community, giving them the opportunity and, to some 
extent, forcing them to talk about their experiences, opin- 
ions, small or big projects and so on. And as in the pre- 
vious editions, participants were happy to propose to the 
audience their own utilities, projects and use cases relat- 
ed to PostgreSQL. 

A full day of PostgreSQL and technology surrounding it! 
You could have been walking around anywhere and found 
enthusiasts and professionals exchanging tips and tricks, 
experiences and opinions about the software they love. 
lt did not matter if it was a coffee break, lunch, or a talk 
break: everyone was looking for hints and new things to 
learn. This is the real aim of ITPUG and PGDay.IT: al- 
lowing and easing the experience/knowledge sharing and 
community aggregation. 

The day closed with a group picture and a lottery for ten 
one-year subscriptions to a developers’ magazine, kindly 
offered by one of the event sponsors. 


Organization 

The organization of PGDay.IT took almost 6 months, in 
order to fully close the conference and 7 months work is a 
more appropriate evaluation. This year the ITPUG boards 
of directors changed, and therefore there were some ini- 
tial difficulties to organize the work. Eventually, ITPUG got 
the right momentum and was able to deliver a very high 
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quality event. It is worth noting that, for the first time, IT- 
PUG took a clear approach at the organization tracking 
down each single activity (see Box 2), and this represents 
a very important value. Not only because there is a clear 
history about what was done, who did the work, which 
skills were required, and how much time and resources a 
single piece of the whole picture took, but also because 
it eases the migration of knowledge across the ITPUG 
members themselves. 


A More Accessible Event 

This year ITPUG made an event more accessible to ev- 
eryone. In particular, two aspects were really important in 
the organization of the event: (I) define special fees and 
discounts depending on the attendee professional con- 
text and (ii) provide live streaming. The former allowed, 
for instance, university and/or high school students to ap- 
proach the event and get in touch with the PostgreSQL 
community, while the latter delivered part of the confer- 
ence contents to those who were unable to physically at- 
tend the event. In particular, PGDay.IT 2013 has been the 
first edition of the conference with live streaming. 

The streaming was provided by one of the event spon- 
sors and covered half of the conference (all of the Salone 
Grollo speeches). ITPUG believes that live streaming was 
important not only to deliver conference contents, but also 
to make known the high quality of the event, and therefore 
the good work of the I[TPUG community. 


PGDay.IT and Other Communities 

This edition was also the first that has included different 
communities. First of all, the day before PGDay.IT there 
was another Computer Science event: the first OpenER- 
PDay, organized at the Monash too. While OpenERP and 
PostgreSQL are really different projects, everyone who 
deals with an ERP application has to deal with a data- 





Box 1: PGDay.IT 2013 by numbers 

Numbers do not express the quality of an event very well, but 
in order to give to the readers an estimate of the size of the 
PGDay,.IT, the following are some interesting statistics: 


91 registered attendees (including staff members) 
13 regular talks 

9 and one half hours of content 

9 speakers 

8 sponsors 

8 staff members 

6 free-of-charge patronages 

3 rooms 

2 parallel sessions 

1 lab session 
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Box 2: History of the event: more than ever! 
One important aspect of PGDay.IT is the way it has been or- 
ganized. ITPUG committed to the usage of an issue tracking 
system for all the activities tied and related to the event itself. 
This not only provides a history of the event more reliable and 
classified than a simple mailbox or plain wiki, but also allows 
ITPUG to literally clone the event for future arrangement. Of 
course, the aim of ITPUG and the meaning of PGDay.IT is not 
to stay the same year after year, and therefore this is unlikely 
to happen, but the important aspect of all this tracking activ- 
ity is the detailed knowledge about required skills, times, de- 
liveries, cross-dependencies and so on that each single piece 
of the puzzle requires. ITPUG strongly believes this knowledge 
and methodology will help organization of future events and 
will ease the joining of new forces into the staff. 











base, and this explains why some attendees of the Open- 
ERPDay event participated also in the PGDay.IT one. 

But at the PGDay.IT there was also the advertising of 
BSD related products, most notably PC-BSD and FreeN- 
AS, and this has shown how related these communities 
are to the PostgreSQL one. In other words, there are a 
lot of professionals that are using BSD on their develop- 
ment or production machines and manage large amounts 
of data using PostgreSQL. 


A Social Event 
As a tradition, once the event was over attendees and or- 
ganizers met at a local pub to drink some great beer and 
relax together. The beer was kindly offered by one of the 
event sponsors. 

The day after the event, for those who were spending 
the whole week-end in Prato, ITPUG advertised a few cul- 
tural events. 

ITPUG strongly believes in social events, because they 
are the easiest way to make your professional network 
grow. More importantly, they are fun! 





Box 3: Who Comes to PGDay.!IT? 

Our average attendee is a computer science professional with 
a clear interest in the database area, that already uses some 
kind of enterprise level database (possibly PostgreSQL) and 
wants to know more about PostgreSQL. Of course, PGDay.IT 
is open to everyone without any regard to their knowledge or 
skills, and in fact ITPUG worked hard to ensure the conference 
schedule included talks of different levels. 

This year there were a good number of professionals co- 
ming from Italian Public Administration (local governments, 
research institutes, universities, and so on), a good thing that 
means that PostgreSQL is not only used by private professio- 
nals, but is becoming more interesting also for governments. 
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On the Web 

« Italian PostgreSQL Users’ Group (ITPUG) official website: 
http://www. itpug.org 
PGDay.IT 2013 official website: http://2013.pgday.it 
PostgreSQL official website: http://www.postgresql.org 











The ITPUG Lab 

ITPUG believes that the evolution of the PGDay.IT has to 
include a laboratory session, but not an ordinary one: the 
ITPUG Lab was indeed derived from the Open Space Tech- 
nology (OST). This is not a new approach at all, but it is new 
in the database scenario, and judging by the success of the 
session, ITPUG strongly believes it has to be improved and 
introduced into other PostgreSQL-related events. 

The ITPUG Lab was organized in a separate room and 
lasted exactly two hours. Attendees were invited to bring 
their own computers, even if there were a couple of extra 
computers made available by the staff. In order to keep 
attendees together and promote the spontaneous genera- 
tion of working teams, tables were appropriately arranged 
and network connections were provided only by wire. 

The session started with a brief presentation of all at- 
tendees, and then everyone was invited to propose a 
specific subject (of course tied to the PostgreSQL world) 
and to write it on a shared whiteboard. Once subjects 
had been proposed, interested people started gathering 
in small teams (up to 5 members) to work on a specific 
subject. For instance, there was a team dedicated to in- 
stallation, one to the local monitoring of the health of a da- 
tabase, one to remote monitoring and one to replication. 
Attendees were free to move from one team to another 
depending on their interest, capabilities, and team needs. 

Almost half of the time there was a database fully up 
and running, with two teams working on it in order to re- 
spectively monitor it locally and remotely, and later on a 
third team was trying to replicate the database. 

After two hours the session ended, and a quick sum- 
mary of the experience was collected. All the participants 
reported full satisfaction with the laboratory, asking in par- 
ticular to organize a longer one. 


LUCA FERRARI 

Luca Ferrari lives in Italy with his beautiful wife and son. He is an Ad- 
junct Professor at Nipissing University, Canada, a co-founder and the 
president of the Italian PostgreSQL Users’ Group (ITPUG). He simply 
loves the Open Source culture and refuses to log-in to non-Unix sys- 
tems. He can be reached on line at http://fluca1978.blogspot.com. 
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